Is the root id/pw supposed to be used for web ui access?

[genfoch01]

Version:
TrueNAS-12.0-U1

I just installed truenas and have logged into the web ui via the root id. is this the expected way to access the web ui? ( using the root id/pw). I was expecting to use a different ID to access the gui ( an admin id like drupal, WP, or WebSphere, etc ). I can't seem to find a was to create an "admin" id for use through the gui or a way to disable roots use of the gui. I tried to to find some information about this online and did find ( https://redmine.ixsystems.com/issues/3669 ) which talks about storing root pw in the database so disabling root pw login would not lock users out of the gui, which does imply using the root id is standard practice but that was for freenas 9.2 so i'm not sure it applies here.

Thanks for your time!

 

[Heracles]

I just installed truenas and have logged into the web ui via the root id. is this the expected way to access the web ui?

Yep, that is the way it is designed.

That interface is used for nothing else than complete admin and control. From replacing disks to adjusting permissions, from replication to VM and jail management, that interface has nothing that would be meant for a non-admin user.

You can enforce 2 factor authentication if you wish. That way, this authentication will be much more secure.

But still, Yes, this interface is designed for root and root only.

 

[genfoch01]

Thanks for the response. I did find that information (belatedly ) in the trusnas doc, so i must have missed it when i was looking it over.

this does lead me to a follow up question though, why us the root id? nginx is running as www so why not use a different admin id ? this would put truenas more in line with Unix best practice of not logging in as root. it would also keep root pw off the network. if you allowed admin ids to be created, you could provide an audit log of what id made what change which would really help out when going through a security audit.

 

[Heracles]

Let me return you that question :
As everything done in the WebUI requires Root privilege, why should we masquerade behind a non-root user that will be automatically and systematically promoted up to root at every click ? That would be an illusion of security and not actual security.

To do that would require a complete re-design of the web interface to segregate the privileges like replacing a drive, replicating a dataset and more, in sub-privileges. Once that complete re-write is done, then it would make sense not to use only root.

FreeNAS / TrueNAS is not a Unix server. It is an appliance designed for storage. As an appliance, it requires an infrastructure around it. That infrastructure must prevent access to the WebUI to those not authorized to use it, filter access toward it and more. Again, just turn On TOTP for your web access and you will achieve a security much higher than what most other services have, despite logging as root.

Also, the reason why nginx is not root is because that one does not need to be root for doing its job. It does not wipe drives, create users, etc. It is the web application that it runs that is doing it. To have it as non-root helps in case of a vulnerability in that daemon. But once in the WebUI, no need for a vulnerability to do whatever you wish. You already have the entire control, so nothing to restrain.

 

[genfoch01]

the default install enables http but uses the root id and pw which means the root pw is being sent across the network in an unencrypted connection by default.

Its not a robust practice to place TrueNas security solely on the infrastructure in which it is placed. security best practice is defense in depth. so yes local network security is important but likewise TrueNas should also be following security best practices. because if the TrueNas device is compromised it is an attack vector for everything else on the network. I don't think a redesign of the web interface is a great reason to avoid addressing a security problem.
while on that subject, since the web ui is running under a different id (www) and the root ID has it's password stored as a hash in the DB there is already a functional way to log in a user differing from the the web ui user (www) and you have a means to translate the www commands to root commands as well. so it looks like you have everything in place to support non root user login.

lastly,
you can't say TruNas is not a unix server. it is a full BSD installation. it has a compiler it has make, apache, it even has a telnet client on it. none of its configuration is protected by hardware ( IE it is not an embedded os stored in rom thus preventing modification). it is a BSD server running a specialized application.

 

[Heracles]

in an unencrypted connection by default.

To turn On HTTPS is one of the first thing to do when deploying a new resources, TrueNAS or anything else...

Its not a robust practice to place TrueNas security solely on the infrastructure

NAS like TrueNAS are closer to enterprise class networks more than home networks. In a typical enterprise class network, it is common to have network segmentation and to use a few infrastructure components to secure many resources at once. To rely on infrastructure is way better than relying on each and every individual resources. There are just too many resources and they are too different to secure each of them separately.

A good example is that a strong security is not one the will prevent intrusion. The reason is simply that to prevent all intrusions is impossible.
The good security is the one that will tolerate intrusion, that is, that will remain secure even after a first intrusion.

It is impossible to achieve that if you rely on the end device. If you do, the very first intrusion will already be at the core of the network and your assets. For that, you MUST do your security at infrastructure level.

but likewise TrueNas should also be following security best practices.

It does. Again, what are you waiting for to turn on 2FA ? No more clear text password problem, no more password stealing at any level in fact. No more brute force, ... 2FA by itself will protect against most threats.

if the TrueNas device is compromised

...then it is too late. TrueNAS is meant to host the most valuable asset you have, your data. Once it is compromised, it is game over. Your most valuable asset is gone.

I don't think a redesign of the web interface is a great reason to avoid addressing a security problem.

The security is provided but in a way that is more typical in entreprise.

so it looks like you have everything in place to support non root user login.

Yes ; it ---LOOKS--- like it. As I said, to promote anything and everything received by the WebUI to root, without requiring the actual root password would be an illusion of security. That what an illusion is : it ---LOOKS--- like something but it is something else. That basic UID with its basic passwords would turn to root, so would require the exact same protection as the original root user itself.

you can't say TruNas is not a unix server. it is a full BSD installation

It is meant to be managed as a black box, as an appliance. If you wish to manage it as a full fledge FreeBSD, you are way better to install FreeBSD and use ZFS from it instead.

 

[danb35]

Really, this has been gone over several times in the past--I doubt it's going to change, and it certainly isn't going to change based on a thread here. Open an issue on Jira if you like, but first maybe take a look at the prior discussion. For a few examples:

Unable to login to GUI with non admin/root user

I've been reading the manual, looking in the logs and searching on this forum but I can't find why any non admin/root user is not able to login to the GUI. I would expect this to be possible as I see no other way a normal user can change his/her password. When a normal users tries to logon to...

www.truenas.com

Change login name from root to user defined? in 9.2.1?

It used to be under account > admin account and now all i can find it account and users and it wont let me change the root name for obvious reasons. My question: Is there a way to change the web gui login name to something other than root in 9.2.1?

www.truenas.com

Change GUI login User

I'm pretty new to FreeNAS and I want to be able to login to the FreeNAS 11.2 UI using a user rather than the default root user. I have added a user to the wheel group (which I thought was the needed group) but no luck. What settings do I need to change to allow for the different login user? Thanks

www.truenas.com

Why does the login page even require a "username"?

I've always pondered the reasoning behind login screens that only accept root (or admin) as a username, yet still require you to type it in every time. Wouldn't it be preferable and quicker to simply require only a password, as "root" is supplied as the default "username"? It's not like you...

www.truenas.com

 

[genfoch01]

I know now this is by design and is not viewed as a security issue.

 

[Ericloewe]

I still don't quite understand why this wasn't taken into account for the then-new middleware. I think it's one of the more bizarre limitations in FreeNAS/TrueNAS.
Of course, that release with a C in its name and FreeBSD 10 under the hood lit quite the fire under the dev team, but still.

 

[danb35]

Of course, that release with a C in its name

Ah yes, The Release that Must Not be Named.