Community discussions

 
User avatar
Splash
Member Candidate
Member Candidate
Topic Author
Posts: 151
Joined: Fri Oct 16, 2015 10:09 am
Location: Johannesburg, South Africa

Group rights inconsistancies

Wed Aug 29, 2018 3:55 pm

If you add a user to the default "full" group, the user is able to upload new firmware, download backups etc. If you create a new group with all permissions ticked, the user is unable to upload new firmware or download backup files. Comparing the 2 groups, there are no options that are different through the UI, the only thing I can suspect is there are hidden permissions that have been attached to the original admin group called full.

This presents a problem where a new group is created for administrators that login through radius and don't use a local account.

Why would there be a difference between the 2 groups?
MTCNA, MTCRE, MTCINE, MTCTCE, MTCIPv6E, MTCUME
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1409
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: Group rights inconsistancies

Thu Aug 30, 2018 2:06 pm

Please provide output of "/user export" command. There are no hidden permissions that would differ default user and/or group from ones added later on.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24268
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Group rights inconsistancies

Thu Aug 30, 2018 2:09 pm

I am unable to repeat the issue. A new group with all checkboxes, then a user assigned to this new group, can do all the mentioned things.
No answer to your question? How to write posts
 
User avatar
Splash
Member Candidate
Member Candidate
Topic Author
Posts: 151
Joined: Fri Oct 16, 2015 10:09 am
Location: Johannesburg, South Africa

Re: Group rights inconsistancies

Thu Aug 30, 2018 2:38 pm

/user group
add name=support policy=ssh,read,test,winbox,api,tikapp,!local,!telnet,!ftp,!reboot,!write,!policy,!password,!web,!sniff,!sensitive,!romon,!dude
add name=admin policy=local,telnet,ssh,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api,tikapp,!ftp,!web,!romon,!dude
/user
add comment="system default user" group=full name=admin
/user aaa
set accounting=no default-group=support exclude-groups=full,read,write use-radius=yes

Users are authenticated using Radius and placed in to the group admin
MTCNA, MTCRE, MTCINE, MTCTCE, MTCIPv6E, MTCUME
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24268
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Group rights inconsistancies

Thu Aug 30, 2018 2:43 pm

You have set default-group support and you can't set group with RADIUS itself, as far as I know (not for system users).
No answer to your question? How to write posts
 
User avatar
Splash
Member Candidate
Member Candidate
Topic Author
Posts: 151
Joined: Fri Oct 16, 2015 10:09 am
Location: Johannesburg, South Africa

Re: Group rights inconsistancies

Thu Aug 30, 2018 2:44 pm

# aug/30/2018 13:41:38 by RouterOS 6.42.7
# software id = 5Q9K-P6FX
#
# model = CCR1036-8G-2S+
# serial number = 91A808AD192F
/user group
add name=support policy=ssh,read,test,winbox,api,tikapp,!local,!telnet,!ftp,!reboot,!write,!policy,!password,!web,!sniff,!sensitive,!romon,!dude
add name=admin policy=local,telnet,ssh,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api,tikapp,!ftp,!web,!romon,!dude
/user
add comment="system default user" group=full name=admin
/user aaa
set accounting=no default-group=support exclude-groups=full,read,write use-radius=yes

examples:
> /export file=test.rsc
not enough permissions (9)
MTCNA, MTCRE, MTCINE, MTCTCE, MTCIPv6E, MTCUME
 
User avatar
Splash
Member Candidate
Member Candidate
Topic Author
Posts: 151
Joined: Fri Oct 16, 2015 10:09 am
Location: Johannesburg, South Africa

Re: Group rights inconsistancies

Thu Aug 30, 2018 2:46 pm

You have set default-group support and you can't set group with RADIUS itself, as far as I know (not for system users).

Correct, but through RADIUS auth, you can set the group the user must be attached to. It works for all other admin functions, ie write access.

splash Cleartext-Password := "password"
Mikrotik-Group = "admin"
MTCNA, MTCRE, MTCINE, MTCTCE, MTCIPv6E, MTCUME
 
User avatar
Splash
Member Candidate
Member Candidate
Topic Author
Posts: 151
Joined: Fri Oct 16, 2015 10:09 am
Location: Johannesburg, South Africa

Re: Group rights inconsistancies

Thu Aug 30, 2018 2:47 pm

> /user active print detail
Flags: R - radius, M - by-romon
0 R when=aug/30/2018 13:40:33 name="splash" address=10.18.0.1 via=winbox group=admin
MTCNA, MTCRE, MTCINE, MTCTCE, MTCIPv6E, MTCUME
 
User avatar
Splash
Member Candidate
Member Candidate
Topic Author
Posts: 151
Joined: Fri Oct 16, 2015 10:09 am
Location: Johannesburg, South Africa

Re: Group rights inconsistancies

Wed Sep 05, 2018 9:23 pm

*bump*
MTCNA, MTCRE, MTCINE, MTCTCE, MTCIPv6E, MTCUME
 
mducharme
Trainer
Trainer
Posts: 874
Joined: Tue Jul 19, 2016 6:45 pm

Re: Group rights inconsistancies

Wed Sep 05, 2018 10:16 pm

*bump*
Hi,

You said that you had assigned all permissions to the admin group, but your export showed otherwise:

add name=admin policy=local,telnet,ssh,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api,tikapp,!ftp,!web,!romon,!dude

So the admin group has all policies enabled except ftp, web, romon, and dude. I think the ftp permission is required to read/write files.
 
User avatar
Splash
Member Candidate
Member Candidate
Topic Author
Posts: 151
Joined: Fri Oct 16, 2015 10:09 am
Location: Johannesburg, South Africa

Re: Group rights inconsistancies

Thu Sep 06, 2018 2:54 pm

Yup, interesting to note that ftp permission may be required for winbox to upload a file. I will definitely check and confirm this.
MTCNA, MTCRE, MTCINE, MTCTCE, MTCIPv6E, MTCUME
 
User avatar
Splash
Member Candidate
Member Candidate
Topic Author
Posts: 151
Joined: Fri Oct 16, 2015 10:09 am
Location: Johannesburg, South Africa

Re: Group rights inconsistancies  [SOLVED]

Thu Sep 06, 2018 2:58 pm

Thanks, it seems you are correct, Winbox requires the FTP permission to upload files to the device.
MTCNA, MTCRE, MTCINE, MTCTCE, MTCIPv6E, MTCUME

Who is online

Users browsing this forum: Google [Bot], MSN [Bot] and 88 guests