Community discussions

MikroTik App
 
User avatar
Splash
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Fri Oct 16, 2015 10:09 am
Location: Johannesburg, South Africa

Group rights inconsistancies

Wed Aug 29, 2018 3:55 pm

If you add a user to the default "full" group, the user is able to upload new firmware, download backups etc. If you create a new group with all permissions ticked, the user is unable to upload new firmware or download backup files. Comparing the 2 groups, there are no options that are different through the UI, the only thing I can suspect is there are hidden permissions that have been attached to the original admin group called full.

This presents a problem where a new group is created for administrators that login through radius and don't use a local account.

Why would there be a difference between the 2 groups?
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1623
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: Group rights inconsistancies

Thu Aug 30, 2018 2:06 pm

Please provide output of "/user export" command. There are no hidden permissions that would differ default user and/or group from ones added later on.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Group rights inconsistancies

Thu Aug 30, 2018 2:09 pm

I am unable to repeat the issue. A new group with all checkboxes, then a user assigned to this new group, can do all the mentioned things.
 
User avatar
Splash
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Fri Oct 16, 2015 10:09 am
Location: Johannesburg, South Africa

Re: Group rights inconsistancies

Thu Aug 30, 2018 2:38 pm

/user group
add name=support policy=ssh,read,test,winbox,api,tikapp,!local,!telnet,!ftp,!reboot,!write,!policy,!password,!web,!sniff,!sensitive,!romon,!dude
add name=admin policy=local,telnet,ssh,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api,tikapp,!ftp,!web,!romon,!dude
/user
add comment="system default user" group=full name=admin
/user aaa
set accounting=no default-group=support exclude-groups=full,read,write use-radius=yes

Users are authenticated using Radius and placed in to the group admin
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Group rights inconsistancies

Thu Aug 30, 2018 2:43 pm

You have set default-group support and you can't set group with RADIUS itself, as far as I know (not for system users).
 
User avatar
Splash
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Fri Oct 16, 2015 10:09 am
Location: Johannesburg, South Africa

Re: Group rights inconsistancies

Thu Aug 30, 2018 2:44 pm

# aug/30/2018 13:41:38 by RouterOS 6.42.7
# software id = 5Q9K-P6FX
#
# model = CCR1036-8G-2S+
# serial number = 91A808AD192F
/user group
add name=support policy=ssh,read,test,winbox,api,tikapp,!local,!telnet,!ftp,!reboot,!write,!policy,!password,!web,!sniff,!sensitive,!romon,!dude
add name=admin policy=local,telnet,ssh,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api,tikapp,!ftp,!web,!romon,!dude
/user
add comment="system default user" group=full name=admin
/user aaa
set accounting=no default-group=support exclude-groups=full,read,write use-radius=yes

examples:
> /export file=test.rsc
not enough permissions (9)
 
User avatar
Splash
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Fri Oct 16, 2015 10:09 am
Location: Johannesburg, South Africa

Re: Group rights inconsistancies

Thu Aug 30, 2018 2:46 pm

You have set default-group support and you can't set group with RADIUS itself, as far as I know (not for system users).

Correct, but through RADIUS auth, you can set the group the user must be attached to. It works for all other admin functions, ie write access.

splash Cleartext-Password := "password"
Mikrotik-Group = "admin"
 
User avatar
Splash
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Fri Oct 16, 2015 10:09 am
Location: Johannesburg, South Africa

Re: Group rights inconsistancies

Thu Aug 30, 2018 2:47 pm

> /user active print detail
Flags: R - radius, M - by-romon
0 R when=aug/30/2018 13:40:33 name="splash" address=10.18.0.1 via=winbox group=admin
 
User avatar
Splash
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Fri Oct 16, 2015 10:09 am
Location: Johannesburg, South Africa

Re: Group rights inconsistancies

Wed Sep 05, 2018 9:23 pm

*bump*
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Group rights inconsistancies

Wed Sep 05, 2018 10:16 pm

*bump*
Hi,

You said that you had assigned all permissions to the admin group, but your export showed otherwise:

add name=admin policy=local,telnet,ssh,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api,tikapp,!ftp,!web,!romon,!dude

So the admin group has all policies enabled except ftp, web, romon, and dude. I think the ftp permission is required to read/write files.
 
User avatar
Splash
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Fri Oct 16, 2015 10:09 am
Location: Johannesburg, South Africa

Re: Group rights inconsistancies

Thu Sep 06, 2018 2:54 pm

Yup, interesting to note that ftp permission may be required for winbox to upload a file. I will definitely check and confirm this.
 
User avatar
Splash
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Fri Oct 16, 2015 10:09 am
Location: Johannesburg, South Africa

Re: Group rights inconsistancies  [SOLVED]

Thu Sep 06, 2018 2:58 pm

Thanks, it seems you are correct, Winbox requires the FTP permission to upload files to the device.

Who is online

Users browsing this forum: mkx, Seko777, uxertxo and 83 guests