second user with administrators privileges

[Paul042020]

Hello,
I am contacting you because I have just upgraded from freenas 9.3 to Truenas 13.0 (new installation)
I had a question about the root user.
Indeed, in freenas 9.3, it was possible to create a standard user "xxxx" and to assign him the UID=0 as the root user. It was also possible to modify the UID once the users were created.
The goal was to put a very large password to root and to use the user "xxxx" to manage the NAS instead of the "root" user.
In Tuenas 13, it seems that assigning a UID=0 is not possible. When I create a user with UID=0, the value changes to 1000 at registration, then after that it is not possible to change it.

Do you know if it is possible to do this manipulation?

Regards

 

[anodos]

Hello,
I am contacting you because I have just upgraded from freenas 9.3 to Truenas 13.0 (new installation)
I had a question about the root user.
Indeed, in freenas 9.3, it was possible to create a standard user "xxxx" and to assign him the UID=0 as the root user. It was also possible to modify the UID once the users were created.
The goal was to put a very large password to root and to use the user "xxxx" to manage the NAS instead of the "root" user.
In Tuenas 13, it seems that assigning a UID=0 is not possible. When I create a user with UID=0, the value changes to 1000 at registration, then after that it is not possible to change it.

Do you know if it is possible to do this manipulation?

Regards

This was a bug that was recently fixed in master IIRC. You can probably just go through sqlite3 and change the UID there. That said, do be aware that if you're intending to use this with SMB access, we store a NT hash (md4) of the password in our sqlite db (encrypted, but it's still there) and in /var/db/system/samba4/private. There is no way around this. It is dictated by the protocol.

 

[Paul042020]

Sorry, I didn't understand everything you wrote.
I only want to manage my NAS with user "XXX" rather than with "root".
It's only a matter of additional security. Indeed it is easier for an attacker to find the root password (if a little too weak), rather than the login + password of another administrator user.

 

[somethingweird]

Not possible, because in the documentation it mentions

"Only the root user account can log in to the TrueNAS web interface."

Setting Up Users and Groups

Describes how to set up users and groups in TrueNAS CORE.

www.truenas.com

 

[Paul042020]

yes indeed! :)
It's amazing that for an O.S. that pronounces security, can't connect with another admin user anymore. See disabling the root account.

Thank you

 

[somethingweird]

enable 2FA to root - to security the web interface

Using Two-Factor Authentication

Describes how to use two-factor authentication on TrueNAS CORE.

www.truenas.com

 

[Patrick M. Hausen]

If someone gets administrative access to the web UI, you are screwed. It does not make any difference if that user is named "root" or "starlord". I fail to see the "additional security" here.

 

[danb35]

See also:

Unable to login to GUI with non admin/root user

I've been reading the manual, looking in the logs and searching on this forum but I can't find why any non admin/root user is not able to login to the GUI. I would expect this to be possible as I see no other way a normal user can change his/her password. When a normal users tries to logon to...

www.truenas.com

Only Root user there can login?

Hello everyone :) I work in a company where i have installed a truenas, but i hit a problem. Can i really not create a other user there have the access to login intro truenas via web interface, or is it really only the root user there have that access? Or old freenas could create a another...

www.truenas.com

WebUI only accepting login from root (9.10-STABLE)

Basically just what it says in the thread title. I'm trying to get set up on FreeNAS 9.10. I've made a separate user on my server, which I can ssh into without issue, but when I try to access the WebUI as it authentication fails with the message ``Please enter a correct Username and password...

www.truenas.com

Change login name from root to user defined? in 9.2.1?

It used to be under account > admin account and now all i can find it account and users and it wont let me change the root name for obvious reasons. My question: Is there a way to change the web gui login name to something other than root in 9.2.1?

www.truenas.com

 

[Paul042020]

@danb35,
Yes, I had read 3 of the posts you quoted. But they seem to talk about a connection to the web interface with another user without administrator rights. That's what I understood, but my English is not very good.

In my application, it is a user with root rights (UID = 0)

@somethingweird
Ok, that answers the question.
The dual authentication system is a good idea.
However, when you want to free yourself from Google services, it's a bit paradoxical. Lol :)


If someone gets administrative access to the web UI, you are screwed. It does not make any difference if that user is named "root" or "starlord". I fail to see the "additional security" here.

I'm not a great security specialist, and I'm interested in tutorials for Truenas (if there are any). I'm trying to apply the few tips I've been given (also on other Linux systems, RPI,...)
I was told to use a strong password (or disable the root account if possible) and use another user with administrator rights. Because it is more difficult for an attacker to find the username + password than just the root admin password (since "root" is already known).
This is what I did on my freenas 9.3 at the time.
Although Truenas is not necessarily made to be accessible from outside, we can see that more and more steps are made from outside and therefore we expose more and more the NAS on the Internet. It's not my case, but I think it's always a plus.
Now once again, I am not a security specialist and I am stingy with recommendations and advice.

Translated with www.DeepL.com/Translator (free version)

 

[Paul042020]

@danb35,
Yes, I had read 3 of the posts you quoted. But they seem to talk about a connection to the web interface with another user without administrator privileges. That's what I understood, but my English is not very good.

In my application, it is a user with root rights (UID = 0)

@somethingweird
Ok, that answers the question.
The dual authentication system is a good idea.
However, when you want to free yourself from Google services, it's a bit paradoxical. Lol :)

If someone gets administrative access to the web UI, you are screwed. It does not make any difference if that user is named "root" or "starlord". I fail to see the "additional security" here.

I'm not a great security specialist, and I'm interested in tutorials for Truenas (if there are any). I'm trying to apply the few tips I've been given (also on other Linux systems, RPI,...)
I was told to use a strong password (or disable the root account if possible) and use another user with administrator privileges. Because it is more difficult for an attacker to find the username + password than just the root admin password (since "root" is already known).
This is what I did on my freenas 9.3 at the time.
Although Truenas is not necessarily made to be accessible from outside, we can see that more and more steps are made from outside and therefore we expose more and more the NAS on the Internet. It's not my case, but I think it's always a plus.
Now once again, I am not a security specialist and I am stingy with recommendations and advice.

 

[Patrick M. Hausen]

I was told to use a strong password (or disable the root account if possible) and use another user with administrator privileges. Because it is more difficult for an attacker to find the username + password than just the root admin password (since "root" is already known).

It's all just a matter of entropy, really. A 10 character user name plus a 20 character password is less secure than "root" and a 40 character password.

Just use sufficiently long random passwords and a password manager and you are OK. My opinion, of course. And disable password authentication in favour of public/private key wherever possible, e.g. for SSH.

 

[somethingweird]

@Paul042020 - yes, you're stingy on recommendations and advice.

The worst case - and this need to be patch every update

• hack the GUI code - to accept another user and deny root
• modify the nginx server on truenas to accept only certain ip range - mitigate some insecurity

That why this is opensource - get creativity. or send a request/ticket to ixsystem about this issue.

 

[Paul042020]

Unfortunately I am unable to do all of this.
I use Freenas and now Truenas in a rather basic way.
My original question was simply that it was possible to do it before, and that it is no longer possible to do it. If it is no longer possible, it is no longer possible.
I am certainly not competent to know if this is a security issue or not.
I can only say that we are in an era where users are asking more and more to have access to their data from outside, and that this could be a weakness (from my non-expert point of view). Especially if it's people like me (lanbda user) who implement this kind of software for a company (small or big) or personal

 

[Patrick M. Hausen]

The only place where the root user comes into play is the web UI. And you should NEVER EVER make the web UI accessable from any untrusted network. Neither any sharing services that are not in jails, but that's a different topic.

 

[Paul042020]

The only place where the root user comes into play is the web UI. And you should NEVER EVER make the web UI accessable from any untrusted network. Neither any sharing services that are not in jails, but that's a different topic.

I am aware of this. Is this the case of all the "lambda" users who start to make their DIY NAS? I'm not sure.

It's all just a matter of entropy, really. A 10 character user name plus a 20 character password is less secure than "root" and a 40 character password.

Lol, I've always wondered if it's equivalent.

Thank you in any case for all your answers

 

[sretalla]

You can administer TrueNAS via users defined in TrueCommand (connected via API Key), which would allow you to set an unreasonably long and complicated password for root and never use it.