GUI access to users instead of root

[lightingman117]

Will any future version of TrueNAS Core have the ability to enable GUI access to certain 'admin' users?

Or is this a limitation of FreeBSD?

TrueNAS Scale has this fixed If I am understanding the documentation correctly.

Edit: for clarity

 

[Whattteva]

I honestly don't think it's a "limitation". Almost all the tasks that the GUI needs to do require root permissions. Even as a non-root "user" on SCALE, it's almost certainly run with sudo (aka: root) permissions. In fact, a quick check just told me that the process owner of both nginx as well as middlewared are both root.
The non-root user thing is more like a Linuxism and really more like one of those silly things Linux likes to do veiled under false pretense of "security". Heck, even vanilla Debian install only disables root if you don't set a password for it.

If you want actual security, you shouldn't really be using the GUI and instead just use pure SSH (no passwords) with either RSA key with minimum 2048 bits key length or ed25519 key. Also note that you probably shouldn't expose your NAS to the internet anyways especially if you're running things like SMB service.

 

[lightingman117]

What I mean is allowing specific local or AD users with the correct admin privileges to access the GUI.

I.E. granting root to user "admin1" and "admin2" but not "user1...2...n"

---

I don't disagree that the veiled "no default root user" isn't actually more secure.

But it is a security practice/standard/STIG...

All audit logs should be tied to specific PEOPLE not a generic default account.

---

This really has nothing to do with exposing to the internet. Though I do acknowledge that many do it unawares.

 

[Whattteva]

I don't disagree that the veiled "no default root user" isn't actually more secure.

But it is a security practice/standard/STIG...

As I said, it's more a Linuxism (not a "standard" in BSD world) and it isn't even universal across all Linux. As I mentioned earlier, vanilla Debian doesn't even really do that fully. I think it's more a "standard" set by Ubuntu, which just happens to have one of the biggest userbase and derivative work based on it.

All audit logs should be tied to specific PEOPLE not a generic default account.

This is a fair point, but this would really only apply if you're using sudo or doas (my preference). I don't believe the web GUI bothers to do that. As I mentioned earlier, the middlewared processes themselves run under root as you can see below:

Code:

root@nas3[~]# ps -ax|grep middlewared
    603 ?        Ssl   56:34 middlewared
    623 ?        Sl    12:03 middlewared (worker)
   1548 ?        Sl    12:02 middlewared (worker)
   1549 ?        Sl    12:08 middlewared (worker)
2016031 pts/1    S+     0:00 grep middlewared
root@nas3[~]# ls -lh /proc/603/loginuid; ls -lh /proc/623/loginuid; ls -lh /proc/1548/loginuid; ls -lh /proc/1549/loginuid
-rw-r--r-- 1 root root 0 May 18 07:49 /proc/603/loginuid
-rw-r--r-- 1 root root 0 May 18 07:59 /proc/623/loginuid
-rw-r--r-- 1 root root 0 May 18 08:00 /proc/1548/loginuid
-rw-r--r-- 1 root root 0 May 18 08:00 /proc/1549/loginuid

I've also looked around the SCALE UI to see if there's such thing as a security audit log, but couldn't find any. Of course, I'm not really familiar with SCALE as I only run this for experimental and testing purposes so if anyone else is more knowledgeable about it, hopefully they will chime in here!