Potential Bug: Read Only User able to crash syslogd service

Avg-IT-Guy · Nov 26, 2024, 4:54 PM

This occurs when a user is assigned to a group with at least the following permissions:

User - Config: Deny Config Write
WebCfg - Status: Logs: Settings

If the user navigates to Status > System Logs > Settings and they make a change, such as "Log packets matched from the default pass rules put in the ruleset" or "Send log messages to remote syslog server", the GUI will show the settings saved. Upon a refresh you can see these settings were not saved; however, if you check the system log you'll see:

syslogd		exiting on signal 15

At this point, no further logging will take place.
The syslogd service will show it is running, but it must be restarted in order for logging to resume.

When the syslogd service is restarted, the following is logged:

nginx		2024/11/26 08:31:19 [error] 98553#100154: send() failed (54: Connection reset by peer) while logging to syslog, server: unix:/var/run/log

Confirmed across several devices on versions:

pfSense + 23.09.1-RELEASE
pfSense CE 2.7.2-RELEASE

stephenw10 · Nov 26, 2024, 11:15 PM

Mmm, seeing something similar here. Digging....

stephenw10 · Nov 26, 2024, 11:30 PM

Are you able to test in 24.11?

Do you actually see the config change?

Testing here the denied user is still to make changes to the running syslog conf file which shouldn't happen.

stephenw10 · Nov 26, 2024, 11:38 PM

Ah Ok, replicated this! There are at least 3 bugs here. Fun*

Incoming...

stephenw10 · Nov 27, 2024, 12:02 AM

https://redmine.pfsense.org/issues/15874

https://redmine.pfsense.org/issues/15873

Thanks!