Read only user group

HCJ · Nov 20, 2014, 10:20 AM

Hi, can this be done now? and if so how do I do it? I want a read only group, so people can log in, view the stats/rules etc, but not be able to make any changes.

phil.davis · Nov 20, 2014, 11:00 AM

I made a ViewAll group the other day, like in the attached screenshot.
"User - Config - Deny Config Write" stops any changes to the config actually happening. When I login as "view.phil" and make changes then press Save, there is no message telling me it won't save, but actually it doesn't save, and then there is no "Apply" button coming, because it did not actually make any config changes.

But the user can mess with the running system things like:
a) Status->Services - stop and start services
b) Diagnostics->Command Prompt - execute general PHP and shell commands, thus possibly wreaking havoc. (Might be other stuff in Diagnostics that also does real things to the disk…)
c) Do package installs (and I guess removals!) - I just does not write anything into the config after the install. For example I just installed bandwidthd from view.phil - /usr/local/pkg has bandwidthd files in it... But System->Packages screen does not show it, because the end step to list it in the config did not happen.
and...

It would be nice to have some versions of read-only that prohibit:

Config changes (already available like here)
Config changes and disk changes
Config changes, disk changes and in memory changes (all changes prohibited)

Anyone who knows how to achieve this in 2.1.5 or 2.2 please advise...

HCJ · Nov 20, 2014, 12:09 PM

many thanks for repling, I'll take a look.

Ideally I would like read only access, apart from allowing changes to one firewall host alliases, to add in people who need the penalty box - I guess this level of lock down isn't available yet ?