Create user with only backup permissions
Following the guide on here I have an account setup with a cron job to download my configs off all my pfsense boxes. The only thing i dont like is that this account has both backup and restore permissions.
Is there a way to prevent the restore permissions?
What could they possibly do? Other than restore a configuration that gives them 100% admin access? I mean… Besides that, its all good.
There is a "deny config write" permission but I believe the restore process ignores that because it doesn't actually write the config in the traditional way.
If that already doesn't work, then someone could probably add a few lines of code to the backup/restore page to deny restore if they have that permission bit set.