Page MenuHomeVyOS Platform

Radius clients don’t have simple permissions
Closed, ResolvedPublicBUG

Description

Radius clients don't have simple permissions for diagnostics, for example, ping or traceroute

Minimal configuration:

set system login radius server 192.168.122.14 key 'foo'

Connect to VyOS node with radius client and try to ping:

foo@r1> ping 192.0.2.1
[sudo] password for foo: 
Sorry, user foo is not allowed to execute '/usr/sbin/ip vrf exec default /bin/ping 192.0.2.1' as root on r1.
foo@r1>

Radius-server users file:

foo             Cleartext-Password := "bar"

A workaround is add permissions for group users

echo "%users ALL=(ALL) NOPASSWD: /usr/sbin/ip vrf exec * " | sudo tee /etc/sudoers.d/radius_clients

Check ping after workaround:

foo@r1> ping 1.1.1.1 count 2
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=56 time=37.1 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=56 time=37.0 ms

--- 1.1.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 2ms
rtt min/avg/max/mdev = 37.032/37.060/37.088/0.028 ms
foo@r1>

I guess it should be some separate group with required permissions.

Details

Difficulty level
Normal (likely a few hours)
Version
VyOS 1.3-stable-202207110427
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects

Mentioned In
1.3.3

Event Timeline

Viacheslav renamed this task from Radius clients doesnt have simple permissions to Radius clients don’t have simple permissions.Jul 14 2022, 6:46 PM

Hi @Viacheslav,

can you please share your configuration? Using Microsoft NPS as RADIUS backend with this configuration I can not reproduce the issue.

set system login radius server 172.16.100.10 key 'secret'
set system login radius server 172.16.100.10 port '1812'
set system login radius server 172.16.100.10 timeout '2'
set system login radius source-address '172.18.254.201'

Also your prompt foo@r1> indicates you are not a priviledged user (radius_priv_user) but only a regular operator user (radius_user). Does your RADIUS server send: shell:priv-lvl=15?

It is operator level, that shouldn’t have permission for configurations. Only basic diagnostics (op-mode)

It is operator level, that shouldn’t have permission for configurations. Only basic diagnostics (op-mode)

Operator mode is no longer supported in VyOS 1.4

Even if so - we should still try to "support" it somehow for the upcoming future when there is a true secure op-mode again.

Could you please add a new Cmnd_Alias vor VRF to /etc/sudoers.d/vyos and allow it for the %operator group?

ip vrf exec requires the CAP_SYS_ADMIN capability which somehow is more or less equal to root.

Unknown Object (User) added a subscriber: Unknown Object (User).Jul 18 2022, 10:21 AM

As I know we have not access by level for now, maybe we should keep shell:priv-lvl=15 by default?

Several access levels are required on our end. In my opinion an operator / read only user should also be able to perform some basic commands (like ping and arp)

@dannyvanderaa this is true - but as of VyOS 1.3 there is no longer an operator mode due to security issues. Operator level was removed, it will come back once the entire codebase rewrite is complete.

In T4533#126598, @c-po wrote:

It is operator level, that shouldn’t have permission for configurations. Only basic diagnostics (op-mode)

Operator mode is no longer supported in VyOS 1.4

Even if so - we should still try to "support" it somehow for the upcoming future when there is a true secure op-mode again.

Could you please add a new Cmnd_Alias vor VRF to /etc/sudoers.d/vyos and allow it for the %operator group?

ip vrf exec requires the CAP_SYS_ADMIN capability which somehow is more or less equal to root.

It works with ip vrf exec *

Cmnd_Alias VRF = /bin/ip vrf exec *
%operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, HWINFO, \
                        PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \
                        DMIDECODE, DISK, CONNTRACK, IP6TABLES,  \
                        FORCE_CLUSTER, VRF

PR https://github.com/vyos/vyos-1x/pull/1598

radius_user@r14> 
radius_user@r14> ping 192.0.2.2 count 1
PING 192.0.2.2 (192.0.2.2) 56(84) bytes of data.
64 bytes from 192.0.2.2: icmp_seq=1 ttl=64 time=0.493 ms

--- 192.0.2.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.493/0.493/0.493/0.000 ms
radius_user@r14> 
radius_user@r14> 
radius_user@r14> 
radius_user@r14> traceroute 192.0.2.2
traceroute to 192.0.2.2 (192.0.2.2), 30 hops max, 60 byte packets
 1  192.0.2.2 (192.0.2.2)  0.525 ms  0.462 ms  0.451 ms
radius_user@r14> 
radius_user@r14> 
radius_user@r14> 
radius_user@r14> show vpn ipsec sa
Connection         State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
-----------------  -------  --------  --------------  ----------------  ----------------  -----------  ---------------------------------------
OFFICE-B-tunnel-0  down     15m49s    0B/0B           0/0               192.0.2.2         192.0.2.2    AES_CBC_256/HMAC_SHA2_256_128/MODP_1024
OFFICE-B-tunnel-0  down     29m43s    0B/0B           0/0               192.0.2.2         192.0.2.2    AES_CBC_256/HMAC_SHA2_256_128/MODP_1024
OFFICE-B-tunnel-0  up       2s        0B/0B           0/0               192.0.2.2         192.0.2.2    AES_CBC_256/HMAC_SHA2_256_128/MODP_1024
radius_user@r14>
Viacheslav changed the task status from Open to Needs testing.Oct 14 2022, 6:30 PM
c-po added a subscriber: c-po.
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.3) board.
c-po moved this task from Backport Candidates to Finished on the VyOS 1.4 Sagitta board.