Page 1 of 1

Group rights inconsistancies

Posted: Wed Aug 29, 2018 3:55 pm
by Splash
If you add a user to the default "full" group, the user is able to upload new firmware, download backups etc. If you create a new group with all permissions ticked, the user is unable to upload new firmware or download backup files. Comparing the 2 groups, there are no options that are different through the UI, the only thing I can suspect is there are hidden permissions that have been attached to the original admin group called full.

This presents a problem where a new group is created for administrators that login through radius and don't use a local account.

Why would there be a difference between the 2 groups?

Re: Group rights inconsistancies

Posted: Thu Aug 30, 2018 2:06 pm
by strods
Please provide output of "/user export" command. There are no hidden permissions that would differ default user and/or group from ones added later on.

Re: Group rights inconsistancies

Posted: Thu Aug 30, 2018 2:09 pm
by normis
I am unable to repeat the issue. A new group with all checkboxes, then a user assigned to this new group, can do all the mentioned things.

Re: Group rights inconsistancies

Posted: Thu Aug 30, 2018 2:38 pm
by Splash
/user group
add name=support policy=ssh,read,test,winbox,api,tikapp,!local,!telnet,!ftp,!reboot,!write,!policy,!password,!web,!sniff,!sensitive,!romon,!dude
add name=admin policy=local,telnet,ssh,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api,tikapp,!ftp,!web,!romon,!dude
/user
add comment="system default user" group=full name=admin
/user aaa
set accounting=no default-group=support exclude-groups=full,read,write use-radius=yes

Users are authenticated using Radius and placed in to the group admin

Re: Group rights inconsistancies

Posted: Thu Aug 30, 2018 2:43 pm
by normis
You have set default-group support and you can't set group with RADIUS itself, as far as I know (not for system users).

Re: Group rights inconsistancies

Posted: Thu Aug 30, 2018 2:44 pm
by Splash
# aug/30/2018 13:41:38 by RouterOS 6.42.7
# software id = 5Q9K-P6FX
#
# model = CCR1036-8G-2S+
# serial number = 91A808AD192F
/user group
add name=support policy=ssh,read,test,winbox,api,tikapp,!local,!telnet,!ftp,!reboot,!write,!policy,!password,!web,!sniff,!sensitive,!romon,!dude
add name=admin policy=local,telnet,ssh,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api,tikapp,!ftp,!web,!romon,!dude
/user
add comment="system default user" group=full name=admin
/user aaa
set accounting=no default-group=support exclude-groups=full,read,write use-radius=yes

examples:
> /export file=test.rsc
not enough permissions (9)

Re: Group rights inconsistancies

Posted: Thu Aug 30, 2018 2:46 pm
by Splash
You have set default-group support and you can't set group with RADIUS itself, as far as I know (not for system users).

Correct, but through RADIUS auth, you can set the group the user must be attached to. It works for all other admin functions, ie write access.

splash Cleartext-Password := "password"
Mikrotik-Group = "admin"

Re: Group rights inconsistancies

Posted: Thu Aug 30, 2018 2:47 pm
by Splash
> /user active print detail
Flags: R - radius, M - by-romon
0 R when=aug/30/2018 13:40:33 name="splash" address=10.18.0.1 via=winbox group=admin

Re: Group rights inconsistancies

Posted: Wed Sep 05, 2018 9:23 pm
by Splash
*bump*

Re: Group rights inconsistancies

Posted: Wed Sep 05, 2018 10:16 pm
by mducharme
*bump*
Hi,

You said that you had assigned all permissions to the admin group, but your export showed otherwise:

add name=admin policy=local,telnet,ssh,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api,tikapp,!ftp,!web,!romon,!dude

So the admin group has all policies enabled except ftp, web, romon, and dude. I think the ftp permission is required to read/write files.

Re: Group rights inconsistancies

Posted: Thu Sep 06, 2018 2:54 pm
by Splash
Yup, interesting to note that ftp permission may be required for winbox to upload a file. I will definitely check and confirm this.

Re: Group rights inconsistancies  [SOLVED]

Posted: Thu Sep 06, 2018 2:58 pm
by Splash
Thanks, it seems you are correct, Winbox requires the FTP permission to upload files to the device.