Nethserver-delegation needs testers

Strange thing. After setting user delegations (Dashboard panel, shutdown, Users manager, User profile) and logging out from root, I’m trapped in an Anonymous session with full permission:

/var/log/messages reports the root user logout:

Jul  9 12:35:32 server httpd-admin: [NOTICE] Nethgui\Module\Logout: user root logged out

but server-admin keeps logged in as Anonymous, and any logout attempt reports:

Jul  9 13:06:26 server httpd-admin: [NOTICE] Nethgui\Module\Logout: user  logged out
Jul  9 13:06:30 server httpd-admin: [NOTICE] Nethgui\Module\Logout: user  logged out

/var/log/secure shows:

Jul  9 13:06:27 server sudo:   srvmgr : TTY=unknown ; PWD=/usr/share/nethesis/nethserver-manager ; USER=root ; COMMAND=/usr/libexec/nethserver/password-expiration
Jul  9 13:06:30 server sudo:   srvmgr : TTY=unknown ; PWD=/usr/share/nethesis/nethserver-manager ; USER=root ; COMMAND=/usr/libexec/nethserver/password-expiration

Can access all panels but dashboard.
Clearing browsing data or closing and reopening the browser has no effect.
When browsing to the server-manager from a different browser no login prompt is requested, instead I’m directly logged-in as Anonymous, with full access (as before).
Rebooting the server has no difference.

The delegated user has a ' character within the LastName:

#/var/log/secure
COMMAND=/sbin/e-smith/db accounts setprop user1 FirstName User Street  Department  Uid 5000 MailStatus enabled PhoneNumber  MailForwardStatus disabled AdminAllPanels disabled City  PassExpires yes LastName O'ne Company  Samba enabled MailSpamRetentionStatus disabled __state active AdminPanels Dashboard,Shutdown,User,UserProfile

/var/log/audit/audit.log:

type=USER_START msg=audit(1499601307.224:2434): user pid=10940 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1499601307.246:2435): user pid=10940 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1499601307.246:2436): user pid=10940 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=USER_CMD msg=audit(1499601307.255:2437): user pid=10944 uid=498 auid=4294967295 ses=4294967295 msg='cwd="/usr/share/nethesis/nethserver-manager" cmd=2F7362696E2F652D736D6974682F6C6F67766965776572202D6F2031323732373637202F7661722F6C6F672F61756469742F61756469742E6C6F67 terminal=? res=success'
type=CRED_ACQ msg=audit(1499601307.257:2438): user pid=10944 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'

A warning logged:

Use of uninitialized value in numeric gt (>) at /usr/share/perl5/vendor_perl/Authen/SASL/Perl.pm line 130.

for a dependency from centos-base repo:

# rpm -qf /usr/share/perl5/vendor_perl/Authen/SASL/Perl.pm
perl-Authen-SASL-2.13-3.el6.noarch

Edit: Restored a good snapshot + updates, created a user, set delegation for disk usage: same behavior.

I cannot reproduce

is it the same with another vm ?

It is not a bug, it is a feature

edit : same behaviour when I created a user and its password but with no previous login

The template I put in /usr/share/nethesis/NethServer/Authorization/DelegatedPanel.json is the bug, let’s investigate

I recall to have tried with a user with no previous login or with login just to server-manager (but no ssh or anything else).

could you please test something
in /usr/share/nethesis/NethServer/Authorization/DelegatedPanel.json remove the 2,3,4 line

[
-{
-}
-,

Yep! it works.

in fact I’m the bug, I needed to do a quick trick (I noted fixme in the code, because I known that it was bad)

For NS6 ONLY

yum install http://mirror.de-labrusse.fr/NethDev/nethserver-delegated-panel/nethserver-delegated-panel-0.0.5-1.ns6.sdl.noarch.rpm

after that you can choose which panels are available for what groups or users

thank @dnutan for finding the bug

NS7 version is coming

thinking loudly, please add your sand

does nethserver-delegated-panel is a good name, does nethserver-delegation could be better…or propose yours

the goal is to delegate the access to the server-manager for users and groups.

What do you want to become reality with a delegation module

Capture d'écran de 2017-07-20 15-43-43.png1923×942 106 KB

Capture d'écran de 2017-07-20 15-43-51.png894×800 92.4 KB

For NS7…yeah I did it

for ns6

yum install http://mirror.de-labrusse.fr/NethDev/nethserver-delegated-panel/nethserver-delegated-panel-0.0.6-1.ns6.sdl.noarch.rpm

for ns7

yum install http://mirror.de-labrusse.fr/NethDev/nethserver-delegated-panel/nethserver-delegated-panel-0.1.1-1.ns7.sdl.noarch.rpm

I prefer this. How do others call thing like that? Delegation?
Great job anyway!

Haven’t tried the new version yet but a cosmetic question arises from the screenshot. Does the “Delegate all panels” either ticks or disables (block control) all other checkboxes, when active?

Good remark as always

Maybe the delegate all checkbox can be removed and replaced with a select all link (jquery?), then the other checkboxes don’t need to be grouped in an expandable list.

for ns6

yum install http://mirror.de-labrusse.fr/NethDev/nethserver-delegation/nethserver-delegation-0.0.7-1.ns6.sdl.noarch.rpm

for ns7

yum install http://mirror.de-labrusse.fr/NethDev/nethserver-delegation/nethserver-delegation-0.1.2-1.ns7.sdl.noarch.rpm

for now it is a FIELDSET_EXPANDABLE

• Dashboard is not accessible as it is redirected to UserProfile (NethServer default behaviour for unprivileged users)
• User Profile panel is always accessible

What’s the expected delegation precedence for users and nested groups?

this is an historic Issue from core @davidep what we can do for this.

Maybe an userspace page?
A small page interface that contains links to services for this user:
-webmail/Integrated suite (even Cloud service)
-WebRTC Asterisk
-OpenVPN cert/config download
-PW page change
-delegated panel access
-whatever?