Nethserver-delegation needs testers

Strange thing. After setting user delegations (Dashboard panel, shutdown, Users manager, User profile) and logging out from root, I’m trapped in an Anonymous session with full permission:

/var/log/messages reports the root user logout:

Jul  9 12:35:32 server httpd-admin: [NOTICE] Nethgui\Module\Logout: user root logged out

but server-admin keeps logged in as Anonymous, and any logout attempt reports:

Jul  9 13:06:26 server httpd-admin: [NOTICE] Nethgui\Module\Logout: user  logged out
Jul  9 13:06:30 server httpd-admin: [NOTICE] Nethgui\Module\Logout: user  logged out

/var/log/secure shows:

Jul  9 13:06:27 server sudo:   srvmgr : TTY=unknown ; PWD=/usr/share/nethesis/nethserver-manager ; USER=root ; COMMAND=/usr/libexec/nethserver/password-expiration
Jul  9 13:06:30 server sudo:   srvmgr : TTY=unknown ; PWD=/usr/share/nethesis/nethserver-manager ; USER=root ; COMMAND=/usr/libexec/nethserver/password-expiration

Can access all panels but dashboard.
Clearing browsing data or closing and reopening the browser has no effect.
When browsing to the server-manager from a different browser no login prompt is requested, instead I’m directly logged-in as Anonymous, with full access (as before).
Rebooting the server has no difference.

The delegated user has a ' character within the LastName:

#/var/log/secure
COMMAND=/sbin/e-smith/db accounts setprop user1 FirstName User Street  Department  Uid 5000 MailStatus enabled PhoneNumber  MailForwardStatus disabled AdminAllPanels disabled City  PassExpires yes LastName O'ne Company  Samba enabled MailSpamRetentionStatus disabled __state active AdminPanels Dashboard,Shutdown,User,UserProfile

/var/log/audit/audit.log:

type=USER_START msg=audit(1499601307.224:2434): user pid=10940 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1499601307.246:2435): user pid=10940 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1499601307.246:2436): user pid=10940 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=USER_CMD msg=audit(1499601307.255:2437): user pid=10944 uid=498 auid=4294967295 ses=4294967295 msg='cwd="/usr/share/nethesis/nethserver-manager" cmd=2F7362696E2F652D736D6974682F6C6F67766965776572202D6F2031323732373637202F7661722F6C6F672F61756469742F61756469742E6C6F67 terminal=? res=success'
type=CRED_ACQ msg=audit(1499601307.257:2438): user pid=10944 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'

A warning logged:

Use of uninitialized value in numeric gt (>) at /usr/share/perl5/vendor_perl/Authen/SASL/Perl.pm line 130.

for a dependency from centos-base repo:

# rpm -qf /usr/share/perl5/vendor_perl/Authen/SASL/Perl.pm
perl-Authen-SASL-2.13-3.el6.noarch

Edit: Restored a good snapshot + updates, created a user, set delegation for disk usage: same behavior.

1 Like

I cannot reproduce :cry:

is it the same with another vm ?

It is not a bug, it is a feature :slight_smile:

edit : same behaviour when I created a user and its password but with no previous login

The template I put in /usr/share/nethesis/NethServer/Authorization/DelegatedPanel.json is the bug, let’s investigate

I recall to have tried with a user with no previous login or with login just to server-manager (but no ssh or anything else).

could you please test something
in /usr/share/nethesis/NethServer/Authorization/DelegatedPanel.json remove the 2,3,4 line

[
-{
-}
-,

Yep! it works.

in fact I’m the bug, I needed to do a quick trick (I noted fixme in the code, because I known that it was bad)

For NS6 ONLY

yum install http://mirror.de-labrusse.fr/NethDev/nethserver-delegated-panel/nethserver-delegated-panel-0.0.5-1.ns6.sdl.noarch.rpm

after that you can choose which panels are available for what groups or users

thank @dnutan for finding the bug

NS7 version is coming

3 Likes

thinking loudly, please add your sand

does nethserver-delegated-panel is a good name, does nethserver-delegation could be better…or propose yours

the goal is to delegate the access to the server-manager for users and groups.

What do you want to become reality with a delegation module

For NS7…yeah I did it

1 Like

for ns6

yum install http://mirror.de-labrusse.fr/NethDev/nethserver-delegated-panel/nethserver-delegated-panel-0.0.6-1.ns6.sdl.noarch.rpm

for ns7

yum install http://mirror.de-labrusse.fr/NethDev/nethserver-delegated-panel/nethserver-delegated-panel-0.1.1-1.ns7.sdl.noarch.rpm

3 Likes

I prefer this. How do others call thing like that? Delegation?
Great job anyway!

Haven’t tried the new version yet but a cosmetic question arises from the screenshot. Does the “Delegate all panels” either ticks or disables (block control) all other checkboxes, when active?

Good remark as always :slight_smile:

Maybe the delegate all checkbox can be removed and replaced with a select all link (jquery?), then the other checkboxes don’t need to be grouped in an expandable list.

for ns6

yum install http://mirror.de-labrusse.fr/NethDev/nethserver-delegation/nethserver-delegation-0.0.7-1.ns6.sdl.noarch.rpm

for ns7

yum install http://mirror.de-labrusse.fr/NethDev/nethserver-delegation/nethserver-delegation-0.1.2-1.ns7.sdl.noarch.rpm

for now it is a FIELDSET_EXPANDABLE

2 Likes
  • Dashboard is not accessible as it is redirected to UserProfile (NethServer default behaviour for unprivileged users)
  • User Profile panel is always accessible

What’s the expected delegation precedence for users and nested groups?

1 Like

this is an historic Issue from core @davidep what we can do for this.

Maybe an userspace page?
A small page interface that contains links to services for this user:
-webmail/Integrated suite (even Cloud service)
-WebRTC Asterisk
-OpenVPN cert/config download
-PW page change
-delegated panel access
-whatever?

3 Likes