Page MenuHomeVyOS Platform
Create Task
Maniphest T4533

Radius clients don’t have simple permissions
Closed, ResolvedPublicBUG
Actions

Description

Radius clients don't have simple permissions for diagnostics, for example, ping or traceroute

Minimal configuration:

set system login radius server 192.168.122.14 key 'foo'

Connect to VyOS node with radius client and try to ping:

[email protected]> ping 192.0.2.1
[sudo] password for foo: 
Sorry, user foo is not allowed to execute '/usr/sbin/ip vrf exec default /bin/ping 192.0.2.1' as root on r1.
[email protected]>

Radius-server users file:

foo             Cleartext-Password := "bar"

A workaround is add permissions for group users

echo "%users ALL=(ALL) NOPASSWD: /usr/sbin/ip vrf exec * " | sudo tee /etc/sudoers.d/radius_clients

Check ping after workaround:

[email protected]> ping 1.1.1.1 count 2
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=56 time=37.1 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=56 time=37.0 ms

--- 1.1.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 2ms
rtt min/avg/max/mdev = 37.032/37.060/37.088/0.028 ms
[email protected]>

I guess it should be some separate group with required permissions.

Details

Difficulty level
Normal (likely a few hours)
Version
VyOS 1.3-stable-202207110427
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

Viacheslav assigned this task to c-po.Jul 14 2022, 3:34 PM
Viacheslav created this task.
Viacheslav added a project: VyOS 1.4 Sagitta.Jul 14 2022, 3:38 PM
Viacheslav renamed this task from Radius clients doesnt have simple permissions to Radius clients don’t have simple permissions.Jul 14 2022, 6:46 PM
pasik added a subscriber: pasik.Jul 14 2022, 8:29 PM
c-po added a comment.Jul 18 2022, 5:40 AM

Hi @Viacheslav,

can you please share your configuration? Using Microsoft NPS as RADIUS backend with this configuration I can not reproduce the issue.

set system login radius server 172.16.100.10 key 'secret'
set system login radius server 172.16.100.10 port '1812'
set system login radius server 172.16.100.10 timeout '2'
set system login radius source-address '172.18.254.201'

Also your prompt [email protected]> indicates you are not a priviledged user (radius_priv_user) but only a regular operator user (radius_user). Does your RADIUS server send: shell:priv-lvl=15?

Viacheslav added a comment.EditedJul 18 2022, 6:53 AM

It is operator level, that shouldn’t have permission for configurations. Only basic diagnostics (op-mode)

c-po added a comment.EditedJul 18 2022, 8:35 AM
In T4533#126578, @Viacheslav wrote:

It is operator level, that shouldn’t have permission for configurations. Only basic diagnostics (op-mode)

Operator mode is no longer supported in VyOS 1.4

Even if so - we should still try to "support" it somehow for the upcoming future when there is a true secure op-mode again.

Could you please add a new Cmnd_Alias vor VRF to /etc/sudoers.d/vyos and allow it for the %operator group?

ip vrf exec requires the CAP_SYS_ADMIN capability which somehow is more or less equal to root.

Dmitry added a subscriber: Dmitry.Jul 18 2022, 10:21 AM

As I know we have not access by level for now, maybe we should keep shell:priv-lvl=15 by default?

dannyvanderaa added a subscriber: dannyvanderaa.Jul 19 2022, 5:32 AM

Several access levels are required on our end. In my opinion an operator / read only user should also be able to perform some basic commands (like ping and arp)

c-po added a comment.Jul 19 2022, 6:27 AM

@dannyvanderaa this is true - but as of VyOS 1.3 there is no longer an operator mode due to security issues. Operator level was removed, it will come back once the entire codebase rewrite is complete.

aalmenar added a subscriber: aalmenar.Jul 19 2022, 9:29 AM
dmbaturin edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.2).Aug 14 2022, 6:48 PM
Viacheslav added a comment.Aug 29 2022, 10:13 AM
In T4533#126598, @c-po wrote:
In T4533#126578, @Viacheslav wrote:

It is operator level, that shouldn’t have permission for configurations. Only basic diagnostics (op-mode)

Operator mode is no longer supported in VyOS 1.4

Even if so - we should still try to "support" it somehow for the upcoming future when there is a true secure op-mode again.

Could you please add a new Cmnd_Alias vor VRF to /etc/sudoers.d/vyos and allow it for the %operator group?

ip vrf exec requires the CAP_SYS_ADMIN capability which somehow is more or less equal to root.

It works with ip vrf exec *

Cmnd_Alias VRF = /bin/ip vrf exec *
%operator ALL=NOPASSWD: DATE, IPTABLES, ETHTOOL, IPFLUSH, HWINFO, \
                        PPPOE_CMDS, PCAPTURE, /usr/sbin/wanpipemon, \
                        DMIDECODE, DISK, CONNTRACK, IP6TABLES,  \
                        FORCE_CLUSTER, VRF
Viacheslav added a comment.Oct 14 2022, 6:11 PM

PR https://github.com/vyos/vyos-1x/pull/1598

[email protected]> 
[email protected]> ping 192.0.2.2 count 1
PING 192.0.2.2 (192.0.2.2) 56(84) bytes of data.
64 bytes from 192.0.2.2: icmp_seq=1 ttl=64 time=0.493 ms

--- 192.0.2.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.493/0.493/0.493/0.000 ms
[email protected]> 
[email protected]> 
[email protected]> 
[email protected]> traceroute 192.0.2.2
traceroute to 192.0.2.2 (192.0.2.2), 30 hops max, 60 byte packets
 1  192.0.2.2 (192.0.2.2)  0.525 ms  0.462 ms  0.451 ms
[email protected]> 
[email protected]> 
[email protected]> 
[email protected]> show vpn ipsec sa
Connection         State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
-----------------  -------  --------  --------------  ----------------  ----------------  -----------  ---------------------------------------
OFFICE-B-tunnel-0  down     15m49s    0B/0B           0/0               192.0.2.2         192.0.2.2    AES_CBC_256/HMAC_SHA2_256_128/MODP_1024
OFFICE-B-tunnel-0  down     29m43s    0B/0B           0/0               192.0.2.2         192.0.2.2    AES_CBC_256/HMAC_SHA2_256_128/MODP_1024
OFFICE-B-tunnel-0  up       2s        0B/0B           0/0               192.0.2.2         192.0.2.2    AES_CBC_256/HMAC_SHA2_256_128/MODP_1024
[email protected]>
Viacheslav moved this task from Need Triage to Backport Candidates on the VyOS 1.4 Sagitta board.Oct 14 2022, 6:24 PM
Viacheslav changed the task status from Open to Needs testing.Oct 14 2022, 6:30 PM
c-po reassigned this task from c-po to Viacheslav.Oct 18 2022, 9:10 AM
c-po added a subscriber: c-po.
c-po added a comment.Oct 18 2022, 9:31 AM

PR for VyOS 1.3 https://github.com/vyos/vyatta-cfg-system/pull/187

c-po closed this task as Resolved.Oct 18 2022, 7:36 PM
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.3) board.
c-po moved this task from Backport Candidates to Finished on the VyOS 1.4 Sagitta board.