Messages

Context: this is a FreeBSD fix for an issue introduced last year by a FreeBSD security advisory.


Cheers,
Franco

The post-install package script does the install. If you do "pkg install -f opnsense" what happens?


Cheers,
Franco

Steps to reproduce are simple:

Go to System:Settings:General and there is a Picture option. Choose a large picture file on the PC and upload. Then reboot the firewall. Most likely, it will fail to reboot as config.xml could not be read.

So I take a random image and then I cannot reproduce it? I'd rather have an image provided that definitely exhibits the issue please.


Cheers,
Franco

[August 2024]

Quite a few people inside and outside of FreeBSD talked about the state of the security advisory since August 2024 causing this problem amongst a significant number of others:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701

The only conclusion is nobody cared back then and nobody really cares now. Everyone is just a volunteer when it comes to responsibility.  :)


Cheers,
Franco

I know, this is a bit of a different problem scope from "disable integrated authentication".

Disabling root+sudo is straightforward.  There is no need to expose root anywhere (although it's the historic default because it was always pinned to UID 0).

We can consider adding separate authenticator support for system and perhaps sudo and/or sshd but this needs to be considered:

Inheriting settings from web GUI currently set or going out of sync later which can pose a risk of lockout or easy access in the worst case.

I'll look into it in exchange for a ticket on GitHub.


Cheers,
Franco

To put it like it is: it was not worth their time.


Cheers,
Franco

Hi there,

The feature was a compatibility shim predating the pam_opnsense integration and it was provided until we moved the access management to MVC/API which prompted all sorts of related cleanups and simplifications of UNIX user management (especially not rendering users that are not even allowed shell access).

One of the problems with disabled integrated authentication is that it downgrades password strength through SSH and for the console.  Console is less risk because you need "physical" access, but the game changes in SSH password authentication which should be avoided.

I usually recommend disabling root and using sudo for the separate admin account:

"sudo su" for the root console
"sudo -s" for a root shell

For physical systems in server racks I enable auto console log in so I don't have to deal with this at all. The rack or the server room should provide enough protection.  ;)

One thing that could be considered missing is a more fine-grained authentication matrix for separate facilities such as sshd, sudo and system which is all tied to web GUI authentication at the moment.

The removal commit for reference:

https://github.com/opnsense/core/commit/514f87adb8

 
Cheers,
Franco

Yep. We were debating putting it into 25.1.11 but decided not to because stable commits from that direction have a chance to make things much worse.

This was a clear mistake in the initial FreeBSD ICMP state SA that we talked about 9 months ago and FreeBSD brushed off.  Inspecting the patch, FreeBSD didn't ever look into this bug as it was submitted by a user now.

https://github.com/opnsense/src/commit/a18d19bb2d


Cheers,
Franco

Above the provided output there should be the actual error from when the user and group should be added:

https://github.com/opnsense/core/blob/517c1c6f72c1d5f8fc66d1094d42308b40ffe10b/%2BPOST_INSTALL#L12-L21

At the moment that is a cosmetic issue as this is only for prepping the privilege separation which may become the default in 26.1.


Cheers,
Franco

Yes, it's the only thing still left on my TODO list besides testing.


Cheers,
Franco

> This is something OPNsense developers should look at. I used a built-in feature which should not have caused any issues.

Fair, just need steps to reproduce please.


Cheers,
Franco

How are you doing?

This is the second release candidate for your consideration.  A kernel update
was included to keep up with FreeBSD stable/14.  A few nice things have
been added to Dnsmasq as well.  This is an online update only.

Here are the development highlights since version 25.1 came out:

o Replace the setup wizard with a modern MVC/API variant
o Switch to reusable frontend code
o ChartJS 4 update and related functionality migrations
o User manager CSV export and import option
o New plugin for SFTP configuration backups
o Move frontend grid from Bootgrid to Tabulator
o Optional privilege separation for the web GUI (running as non-root)
o User/group manager adds optional source network constraint
o JSON container support for aliases
o Firewall automation GUI revamp
o Performance improvements when using large amounts of aliases
o Dnsmasq DHCP support for small and medium sized setups
o Support advanced (manual) configurations in Kea
o Add IPv6 support (including prefix delegation) to Kea
o Bridges MVC migration
o Migrate IPsec mobile page to MVC
o Greek as a new language
o FreeBSD 14.3

And these are the full patch notes against 25.7-RC1:

o system: fix passing "arguments" as parameters for cron jobs
o firewall: code cleanup and performance improvements for alias diagnostics page
o dnsmasq: add CNAME configuration option to host overrides
o dnsmasq: add optional subnet mask to "dhcp-range" to satisfy DHCP relay requirements
o dnsmasq: fix empty DHCP option value spawning stray comma
o lang: make more strings translate-able (contributed by Tobias Degen)
o lang: further updates
o isc-dhcp: add static mapping CSV export
o backend: trigger boot template reload without using configd
o mvc: use getNodeContent to gather grid data
o ui: adjusted grid command column sizes appropriately where needed
o ui: exclude container fields from search functionality for now
o src: bnxt: fix BASE-T, 40G AOC, 1G-CX, autoneg and unknown media lists
o src: net80211: in ieee80211_sta_join() only do_ht if HT is avail
o src: linuxkpi: assorted changes from stable/14
o src: iwlwifi: compile in ACPI support
o src: rtw89: enable ACPI support on FreeBSD
o src: ifconfig: optimise non-listing case with netlink
o src: pf: fix ICMP ECHO handling of ID conflicts

Migration notes, known issues and limitations:

o Deprecated Google Drive backups due to upstream policy changes and moved to plugins for existing users.
o API URLs registered in the default ACLs have been switched from "camleCase" to "snake_case".
o API grid return values now offer "%field" for a value description when available. "field" will now always be the literal value from the configuration. The API previously returned a display value for some field types, but not all.
o Reverted tunables "hw.ibrs_disable" and "vm.pmap.pti" to FreeBSD defaults.
o The new wizard still has bugs relating to disabling LAN configuration.
o Moved OpenVPN legacy to plugins as a first step to deprecation.
o Moved IPsec legacy to plugins as a first step to deprecation.


Stay safe,
Your OPNsense team

A few people actually, but I fail to se why 25.1.11 is special and would break simplexml in particular. It smells like an issue with a third party repo interaction but nobody has given a hint in that direction yet.

https://github.com/opnsense/core/issues/8944

Unfortunately recovering without reinstall is cumbersome in these particular cases breaking PHP execution.


Cheers,
Franco

Click "details" on the right in the respective overview row. It's listed there as "Dynamic IPv6 prefix received".


Cheers,
Franco