[Solved] Web GUI as "wwwonly" user - how?

OPNenthu · July 25, 2025, 12:59:00 PM

The 25.7 release announcement references this change:

Quoteo system: allow experimental feature to run web GUI privilege separated as "wwwonly" user

I don't see any option to enable this in the web GUI settings, unless I missed it. How do we try this?

Monviech (Cedrik) · July 25, 2025, 01:02:48 PM

Check out the bottom of the system settings administration page

OPNenthu · July 25, 2025, 01:07:10 PM

Ah, definitely missed it. "Strict security" option under Deployment section. Thanks @Monviech

franco · July 25, 2025, 01:19:47 PM

Note we're still working on adjusting components to play nice. Especially legacy pages may have issues with that for now. Could be the case for plugins as well.

But it's also been progressing pretty well so far. If you use the system for API-only purposes it's relatively unlikely you will hit a bug.

Cheers,
Franco

OPNenthu · July 25, 2025, 01:54:10 PM

Only using a few plugins as of now, but will keep an eye out.

This seems like a good security option. Thanks for adding it :)

franco · July 25, 2025, 02:32:15 PM

Only took 10 years of planning, but we're getting there :)

OPNenthu · July 29, 2025, 09:19:38 PM

I did finally hit some snags and it's crashing the UI, although I'm not entirely sure that this is the culprit. I'm assuming so.

I've already submitted the first crash instance with the built-in crash reporter tool.

The first error came when I tried to disable an interface option under Interfaces->[GUEST]->Track IPv6->Manual configuration:

Code Select

PHP Fatal error:  Uncaught TypeError: fstat(): Argument #1 ($stream) must be of type resource, false given in /usr/local/opnsense/mvc/app/library/OPNsense/Core/FileObject.php:117
Stack trace:
#0 /usr/local/opnsense/mvc/app/library/OPNsense/Core/FileObject.php(117): fstat(false)
#1 /usr/local/opnsense/mvc/app/library/OPNsense/Core/FileObject.php(147): OPNsense\Core\FileObject->read()
#2 /usr/local/etc/inc/interfaces.inc(3898): OPNsense\Core\FileObject->readJson()
#3 /usr/local/etc/inc/interfaces.inc(3855): interfaces_neighbors_configure('vlan0.20', Array)
#4 /usr/local/etc/inc/interfaces.inc(2426): interfaces_staticarp_configure('opt2', Array)
#5 /usr/local/www/interfaces.php(560): interface_configure(false, 'opt2', true)
#6 {main}
  thrown in /usr/local/opnsense/mvc/app/library/OPNsense/Core/FileObject.php on line 117

I also tried to disable the security setting in System->Administration and I got another error then:

Code Select

PHP Fatal error:  Uncaught TypeError: fwrite(): Argument #1 ($stream) must be of type resource, false given in /usr/local/etc/inc/system.inc:1340
Stack trace:
#0 /usr/local/etc/inc/system.inc(1340): fwrite(false, '#\n')
#1 /usr/local/www/system_advanced_admin.php(390): system_login_configure()
#2 {main}
  thrown in /usr/local/etc/inc/system.inc on line 1340

I have a snapshot from before enabling the setting so will restore from that. Going to keep this disabled for now and give it a little more time to bake :) Hope these traces are useful.

franco · July 30, 2025, 08:15:50 AM

Thanks for reporting these. The underlying issue is simple: static pages ending in *.php are much more likely to be not ready having been written 10-20 years ago and the setting makes sense to get them ready. We will look into these soon.

Cheers,
Franco

[Solved] Web GUI as "wwwonly" user - how?

OPNenthu

July 25, 2025, 12:59:00 PM Last Edit: July 25, 2025, 01:07:54 PM by OPNenthu

Monviech (Cedrik)

July 25, 2025, 01:02:48 PM #1

OPNenthu

July 25, 2025, 01:07:10 PM #2

franco

July 25, 2025, 01:19:47 PM #3

OPNenthu

July 25, 2025, 01:54:10 PM #4

franco

July 25, 2025, 02:32:15 PM #5

OPNenthu

July 29, 2025, 09:19:38 PM #6 Last Edit: July 29, 2025, 09:34:23 PM by OPNenthu

franco

July 30, 2025, 08:15:50 AM #7