Bug: Adding a user to a group in the UI no longer adds them to the unix group

Started by davidolrik, March 31, 2025, 12:05:07 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 31, 2025, 12:05:07 PM
Hi,

I have just discovered a small bug regarding user group membership:

When editing a user in the UI, adding or removing a user from a group no longer updates the unix group membership.

Bug seen on OPNsense 25.1.4_1-amd64

--
Best regards,
David Jack Wange Olrik
March 31, 2025, 12:20:34 PM #1
It is possible that you encounter the following:

OPNsense 25.1 released

Quoteo The access management was rewritten in MVC and contains behavioural changes including not rendering UNIX accounts for non-shell users. [...]
Deciso DEC740
March 31, 2025, 08:23:08 PM #2
Quote from: patient0 on March 31, 2025, 12:20:34 PMIt is possible that you encounter the following:

OPNsense 25.1 released


I don't think so, I have 4 installations with OPNsense 25.1.4_1-amd64 and only one of them is exhibiting the problem.

All of the users are non-admin accounts with a shell configured so they can be used as a jump host.

The UI renders fine, but adding or removing group membership has no effect.

As a workaround, I've just added the user to the unix group manually like so `sudo pw group mod ssh -m <username>`
March 31, 2025, 10:35:40 PM #3
Quote from: davidolrik on March 31, 2025, 08:23:08 PMAs a workaround, I've just added the user to the unix group manually like so `sudo pw group mod ssh -m <username>`

That won't survive a reboot, IIRC.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
April 03, 2025, 08:33:33 PM #4
Quote from: Patrick M. Hausen on March 31, 2025, 10:35:40 PMThat won't survive a reboot, IIRC.

It does indeed survive a reboot.
April 03, 2025, 08:37:32 PM #5
Quote from: davidolrik on April 03, 2025, 08:33:33 PM
Quote from: Patrick M. Hausen on March 31, 2025, 10:35:40 PMThat won't survive a reboot, IIRC.

It does indeed survive a reboot.

Interesting, thanks. What about doing any modification on users and/or groups in the UI and clicking "save"?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 21, 2025, 09:14:56 AM #6 Last Edit: May 21, 2025, 09:21:57 AM by davidolrik
Quote from: Patrick M. Hausen on April 03, 2025, 08:37:32 PMInteresting, thanks. What about doing any modification on users and/or groups in the UI and clicking "save"?

That the problem I'm experiencing, using the UI does nothing for the unix groups. I've tried editing both individual fields and the group selector.
State change is remembered in the UI but not reflected in the unix groups.

And I just found out, that while manual change using sudo pw group mod ssh -m <username> does survive a reboot - it does not survive an upgrade to 25.1.7_2

I've played around a bit more, and I have found that group removal is reflected in the unix groups, but not adding user to group (tested on an admin user).
May 21, 2025, 10:20:13 AM #7
OPNsense does not use the Unix groups. It comes with its own PAM module:

https://github.com/opnsense/ports/tree/master/opnsense/pam

Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 25, 2025, 08:46:19 AM #8
Quote from: Patrick M. Hausen on May 21, 2025, 10:20:13 AMOPNsense does not use the Unix groups. It comes with its own PAM module:

https://github.com/opnsense/ports/tree/master/opnsense/pam

Well ssh still does, and OPNsense used to keep group membership in sync which allowed me to create a special group called ssh and put all users that need ssh access in that group (even users with /usr/sbin/nologin set as shell).

This no longer works, now only admins get to have ssh access through the wheel group.

I use OPNsense as a jumphost, and setting an additional group in "System->Settings->Administration->Secure shell->Login group" no longer has any effect for any user.
May 25, 2025, 09:22:38 AM #9
I think this is a regression in functionality, and have created an issue on GitHub:

https://github.com/opnsense/core/issues/8721
Print
Go Up Pages1
User actions