[SOLVED]Undeleteable User- You do not have the permission to perform this action

[beeric]

Hello,

Running the latest 21.1.4. I'm currently logged in as root.

This morning I created a new user and assigned him to the admin group. I couldn't login as that user, so I gave him escalated rights by editing "Effective Privileges" under the user just to test. It seems as soon as I did this, the user became untouchable. I can no longer edit anything, including even adding a name or description.

I logged into the console and removed the user from admins group, but I assume OPNsense isn't reading the OS level groups? "pw groupmod admins -d <user>" and he's no longer an admins user, but the Web UI still shows him in the admins group.

The user has a certificate linked to him, but I can't remove it from certs page, and I can't edit the user to unlink it either.

When I go to the WebUI Groups, I have just the "admins" group, with 2 members (root and this user). I've rebooted, but no change.

I'm wary of messing around too much on the console side, as I don't want to remove him in the OS, but have config files or something that still reference him in OPNsense.

Thoughts on how to make this user editable again? I don't know his password, so I can't login as him to the WebUI or SSH.

[marjohn56]

Two ways, either edit the config.xml file removing the user or grab one of the backups in /conf/backup and import it. Remember to pick one that was dated before you added the user. Reboot.. done.

[beeric]

Hmm.. I grabbed a safe backup file, tried to apply in the UI (as root user) and it says:
The following input errors were detected:
You do not have the permission to perform this action.

I don't understand. Somehow root lost permissions?

I checked in the UI, and

• There are only 2 users (root and my user)
• They are both recognized as system admins (denoted by red user icon).
• There is only 1 group (admins) and both users are part of it

I've logged in via SSH.

• root and the user are still part of the admins group, according to /etc/group

Root user can still do other things. I created a Firewall rule just fine and could delete it. But I can't seem to do system administration, even on the root user. I can't create a new user either, even just a low level user - not an admin.

[beeric]

If I recall correctly, the last edit I made in any of the sections was not to the root user, but to the extra user I created. The user already existed and was an admin, but I couldn't SSH. So for testing purposes, I added the user to the admins group, and I edited the "Effective Permissions" under this user. I clicked "Select all" and saved. I'm not sure which action it was, but since that point, I haven't been able to make changes to any user as the root user.

[marjohn56]

This is what I would do. If you have a windows PC, using WINSCP find a back up file that dates to a time before you added the new user. make a note of the name. Now SSH into the shell and issue the command:

cp /conf/backup/config-filename.xml /conf/config.xml

Then do a hard reboot.

If the shell will not let you do that, then try "sudo cp /conf/backup/config-filename.xml /conf/config.xml" and see if it accepts your credentials.


You might also want to backup your /conf directory to your PC. Mine auto backs up conf and a few other critical scripts every night.

[beeric]

That makes sense! Wasn't sure how to apply config from shell. I don't seem to be limited as root on the shell, so I'll give that a shot tomorrow once an outage is acceptable in the house.

Thanks!

[Inxsible]

Yet another option -- since you have a backup config -- re-install opnsense. During installation select your backup config file or after the installation is complete, reload the backup config, reboot and you are done.

[beeric]

Well.. I have no idea how OPNsense ended up in that position, but your solution fixed it. Root didn't have any permission issues at the OS level, so I was able to easily just copy a good backup in place of the existing config.xml and a reboot restored everything to the way it should be.

I'll be setting up automated config backups now on this system, since I didn't have those enabled before.

Thanks marjohn56 & Inxsible!