Group rights inconsistancies

Splash · August 29, 2018, 12:55pm

If you add a user to the default “full” group, the user is able to upload new firmware, download backups etc. If you create a new group with all permissions ticked, the user is unable to upload new firmware or download backup files. Comparing the 2 groups, there are no options that are different through the UI, the only thing I can suspect is there are hidden permissions that have been attached to the original admin group called full.

This presents a problem where a new group is created for administrators that login through radius and don’t use a local account.

Why would there be a difference between the 2 groups?

strods · August 30, 2018, 11:06am

Please provide output of “/user export” command. There are no hidden permissions that would differ default user and/or group from ones added later on.

normis · August 30, 2018, 11:09am

I am unable to repeat the issue. A new group with all checkboxes, then a user assigned to this new group, can do all the mentioned things.

Splash · August 30, 2018, 11:38am

/user group
add name=support policy=ssh,read,test,winbox,api,tikapp,!local,!telnet,!ftp,!reboot,!write,!policy,!password,!web,!sniff,!sensitive,!romon,!dude
add name=admin policy=local,telnet,ssh,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api,tikapp,!ftp,!web,!romon,!dude
/user
add comment=“system default user” group=full name=admin
/user aaa
set accounting=no default-group=support exclude-groups=full,read,write use-radius=yes

Users are authenticated using Radius and placed in to the group admin

normis · August 30, 2018, 11:43am

You have set default-group support and you can’t set group with RADIUS itself, as far as I know (not for system users).

Splash · August 30, 2018, 11:44am

aug/30/2018 13:41:38 by RouterOS 6.42.7

software id = 5Q9K-P6FX

model = CCR1036-8G-2S+

serial number = 91A808AD192F

/user group
add name=support policy=ssh,read,test,winbox,api,tikapp,!local,!telnet,!ftp,!reboot,!write,!policy,!password,!web,!sniff,!sensitive,!romon,!dude
add name=admin policy=local,telnet,ssh,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api,tikapp,!ftp,!web,!romon,!dude
/user
add comment=“system default user” group=full name=admin
/user aaa
set accounting=no default-group=support exclude-groups=full,read,write use-radius=yes

examples:

/export file=test.rsc
not enough permissions (9)

Splash · August 30, 2018, 11:46am

Correct, but through RADIUS auth, you can set the group the user must be attached to. It works for all other admin functions, ie write access.

splash Cleartext-Password := “password”
Mikrotik-Group = “admin”

Splash · August 30, 2018, 11:47am

/user active print detail
Flags: R - radius, M - by-romon
0 R when=aug/30/2018 13:40:33 name=“splash” address=10.18.0.1 via=winbox group=admin

Splash · September 5, 2018, 6:23pm

bump

mducharme · September 5, 2018, 7:16pm

Hi,

You said that you had assigned all permissions to the admin group, but your export showed otherwise:

add name=admin policy=local,telnet,ssh,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api,tikapp,!ftp,!web,!romon,!dude

So the admin group has all policies enabled except ftp, web, romon, and dude. I think the ftp permission is required to read/write files.

Splash · September 6, 2018, 11:54am

Yup, interesting to note that ftp permission may be required for winbox to upload a file. I will definitely check and confirm this.

Splash · September 6, 2018, 11:58am

Thanks, it seems you are correct, Winbox requires the FTP permission to upload files to the device.