Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[SOLVED] WebGUI access for non root user

Featured Replies

I'm sure this has been answered before but a few searches have not shown me any results.

 

I've just had a significant security event which has led me to address my policy of "trusting" the LAN and clients on the LAN.

 

As a result I am adding users, securing shares etc.

 

One question I have relates to the root user. Principally I was always taught never to use root. I never bothered before because I only used it to telnet into the sever. However now I find myself typing it in to access the GUI and it just "feels" wrong.

 

Anyway, my question is, can I grant WebGUI access to a different user account? If so, how is this achieved? Just adding that user to a group (didn't want to guess just in case I wreck something)?

 

Thanks in advance! [emoji4]

 

 

Sent from my iPhone using Tapatalk

  • Community Expert

As far as I know the unRAID GUI can only be accessed using the root user. 

 

Note that shares are not allowed to use the root user for protected shares.  For Public shares then the user is ignored.

  • Author

As far as I know the unRAID GUI can only be accessed using the root user. 

 

Note that shares are not allowed to use the root user for protected shares.  For Public shares then the user is ignored.

 

Given the lack of search results I started to think that would be the case. Nice to have it confirmed. Guess I'll have to save the root user and password combo in Safari for quick access.

 

Good note re root user and shares for others who stumble on the post and don't know.

 

Thanks for the quick response, I appreciate it.

  • Community Expert

What are you trying to accomplish?

 

You should have a strong password assigned to your root account if you have had security issues on the LAN side.

 

But the Telnet access (and you should have shut straight Telnet down and be using SSH) and the GUI are administrator logins and are to be used only for administrative functions.  Whenever you are using the GUI, you have full administrator (or root) privileges on the server and you should only be logging if you are intending to use them.  You should 'feel' like you are the root user and realize exactly what you can do. And you should be attempting to deny any other users from having access to either of these interfaces. 

 

As a matter of fact, you will find out that root is not allowed to log into a a user share on SMB (and I would presume NFS).  This was done for security reasons. 

 

A big security hole still to be plugged is the use of http for the GUI. Conversion to  https is on the drawing boards and should be coming soon. 

  • Author

What are you trying to accomplish?

 

You should have a strong password assigned to your root account if you have had security issues on the LAN side.

 

But the Telnet access (and you should have shut straight Telnet down and be using SSH) and the GUI are administrator logins and are to be used only for administrative functions.  Whenever you are using the GUI, you have full administrator (or root) privileges on the server and you should only be logging if you are intending to use them.  You should 'feel' like you are the root user and realize exactly what you can do. And you should be attempting to deny any other users from having access to either of these interfaces. 

 

As a matter of fact, you will find out that root is not allowed to log into a a user share on SMB (and I would presume NFS).  This was done for security reasons. 

 

A big security hole still to be plugged is the use of http for the GUI. Conversion to  https is on the drawing boards and should be coming soon.

 

I wanted to put some real thought into this reply, hence the delay. Not sure how that has worked though, given I am replying in the hotel bar  ;)

 

I think what I have teased out here is a new requirement.

 

I understand that access the webgui is seen as an administrative task. However, I access the webgui regularly for information only. I see this access as non administrative. As a result I don't want to store my server "root" credentials in my browser NOR do I want to type them in every time I want check some information in the webgui.

 

I think what I am looking for is an unRAID webgui "Information View" - much like dd-wrt has (for those who are familiar) - without the raised privileges of root.  I believe there is a usecase here that is not limited to just me. I have taken note of my behaviour over the last few days (which I think represents my typical behaviour) and the amount of times I access the webgui WITHOUT performing administrative tasks (i.e. for information / status only) is almost 95 (information)/5 (action)% split. This means that under the current design I am elevating myself to root when I really have no need to.

 

Obviously this comes down to definitions of what information you consider to be "administrative only" but IMHO status of disks, reads/writes, docker status, vm status and the like etc is safe enough to expose without elevating to root OR at least give me an option to (like dd-wrt).

 

I will think about this some more and will work on articulating this requirement (and now I read my dd-wrt comparison, I feel like I have mentioned this before - but can't remember the link) as per LT's guidance on doing so.

 

P.S. Both replies so far have mentioned root access to shares. I am familiar with this design / restriction. This is not about shares.

What are you trying to accomplish?

 

You should have a strong password assigned to your root account if you have had security issues on the LAN side.

 

But the Telnet access (and you should have shut straight Telnet down and be using SSH) and the GUI are administrator logins and are to be used only for administrative functions.  Whenever you are using the GUI, you have full administrator (or root) privileges on the server and you should only be logging if you are intending to use them.  You should 'feel' like you are the root user and realize exactly what you can do. And you should be attempting to deny any other users from having access to either of these interfaces. 

 

As a matter of fact, you will find out that root is not allowed to log into a a user share on SMB (and I would presume NFS).  This was done for security reasons. 

 

A big security hole still to be plugged is the use of http for the GUI. Conversion to  https is on the drawing boards and should be coming soon.

 

I wanted to put some real thought into this reply, hence the delay. Not sure how that has worked though, given I am replying in the hotel bar  ;)

 

I think what I have teased out here is a new requirement.

 

I understand that access the webgui is seen as an administrative task. However, I access the webgui regularly for information only. I see this access as non administrative. As a result I don't want to store my server "root" credentials in my browser NOR do I want to type them in every time I want check some information in the webgui.

 

I think what I am looking for is an unRAID webgui "Information View" - much like dd-wrt has (for those who are familiar) - without the raised privileges of root.  I believe there is a usecase here that is not limited to just me. I have taken note of my behaviour over the last few days (which I think represents my typical behaviour) and the amount of times I access the webgui WITHOUT performing administrative tasks (i.e. for information / status only) is almost 95 (information)/5 (action)% split. This means that under the current design I am elevating myself to root when I really have no need to.

 

Obviously this comes down to definitions of what information you consider to be "administrative only" but IMHO status of disks, reads/writes, docker status, vm status and the like etc is safe enough to expose without elevating to root OR at least give me an option to (like dd-wrt).

 

I will think about this some more and will work on articulating this requirement (and now I read my dd-wrt comparison, I feel like I have mentioned this before - but can't remember the link) as per LT's guidance on doing so.

 

P.S. Both replies so far have mentioned root access to shares. I am familiar with this design / restriction. This is not about shares.

 

I may be wrong but I seem to recall jbrodriguez's ContrlR app has some sort of user management implemented.  Don't know if that helps at all.  Although I acknowledge that there's an argument for native webui implementation.

  • 4 years later...

The request (for WebGUI read-only access) makes sense to me. And I too feel uncomfortable having to log in as "root".

 

I stumbled onto this thread because I've been trying to create a second admin account called, er, admin and have discovered I can't do it. Any account added subsequent to root apparently has to be a user account.

 

I was hoping to run a pair of admin/root accounts simultaneously (but very temporarily) so I could explore the capabilities of one without compromising my ability to get into WebGUI administration. This arose because I added a password to the default root account and then discovered that for some reason I was being denied admin access (of course, there's a simple fix if you're local to the physical server).

 

Does anyone know of some kluge at the command line level that might provide a second admin account (like duplicating and editing the relevant entries in /config/password and associated files)?

 

-- 

Chris

  • 1 year later...

the ability to have user accounts be allocated various web sections for access to vms and / or dockers, shares, etc for obvious reasons, ie if there is more than one administrator of the server, I dont want to give out my super hard password to all the admins... 

this needs to be an Immediate addition for the web GUI, not just root login for web GUI this is living in noob land

  • 3 months later...

Those days standard practice is to disable obvious accounts like root/admin/etc... and create hard to gues accounts and give them admin privilige. I am new user of unraid (from yesterday :P) and i am astonished that such advancesd system lacks so basic functionality. Root/admin accounts are first target of every 5yo kid who try to be hacker. Why can't I disable them for peace of my mind?? 

Unraid is not designed to be directly facing the internet.  Remote access if required should be done via a VPN (WireGuard) or a reverse Proxy (MyServers).  

  • 3 weeks later...

I was not talking about exposing GUT to internet. in companies with many PC there is alvays a possibility that some users may infect themselfs with any kind of software used by criminals to breake safeguards from inside. Beside this in those companies are also more than 1 admin. it would be very desirabe to make one account for one admin. that wahy you dont have to share root password to many people. You can just disable or remove account of admin that is not working any more.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.