danioj Posted September 27, 2016 Share Posted September 27, 2016 I'm sure this has been answered before but a few searches have not shown me any results. I've just had a significant security event which has led me to address my policy of "trusting" the LAN and clients on the LAN. As a result I am adding users, securing shares etc. One question I have relates to the root user. Principally I was always taught never to use root. I never bothered before because I only used it to telnet into the sever. However now I find myself typing it in to access the GUI and it just "feels" wrong. Anyway, my question is, can I grant WebGUI access to a different user account? If so, how is this achieved? Just adding that user to a group (didn't want to guess just in case I wreck something)? Thanks in advance! Sent from my iPhone using Tapatalk Quote Link to comment
itimpi Posted September 27, 2016 Share Posted September 27, 2016 As far as I know the unRAID GUI can only be accessed using the root user. Note that shares are not allowed to use the root user for protected shares. For Public shares then the user is ignored. Quote Link to comment
danioj Posted September 27, 2016 Author Share Posted September 27, 2016 As far as I know the unRAID GUI can only be accessed using the root user. Note that shares are not allowed to use the root user for protected shares. For Public shares then the user is ignored. Given the lack of search results I started to think that would be the case. Nice to have it confirmed. Guess I'll have to save the root user and password combo in Safari for quick access. Good note re root user and shares for others who stumble on the post and don't know. Thanks for the quick response, I appreciate it. Quote Link to comment
Frank1940 Posted September 27, 2016 Share Posted September 27, 2016 What are you trying to accomplish? You should have a strong password assigned to your root account if you have had security issues on the LAN side. But the Telnet access (and you should have shut straight Telnet down and be using SSH) and the GUI are administrator logins and are to be used only for administrative functions. Whenever you are using the GUI, you have full administrator (or root) privileges on the server and you should only be logging if you are intending to use them. You should 'feel' like you are the root user and realize exactly what you can do. And you should be attempting to deny any other users from having access to either of these interfaces. As a matter of fact, you will find out that root is not allowed to log into a a user share on SMB (and I would presume NFS). This was done for security reasons. A big security hole still to be plugged is the use of http for the GUI. Conversion to https is on the drawing boards and should be coming soon. Quote Link to comment
danioj Posted September 29, 2016 Author Share Posted September 29, 2016 What are you trying to accomplish? You should have a strong password assigned to your root account if you have had security issues on the LAN side. But the Telnet access (and you should have shut straight Telnet down and be using SSH) and the GUI are administrator logins and are to be used only for administrative functions. Whenever you are using the GUI, you have full administrator (or root) privileges on the server and you should only be logging if you are intending to use them. You should 'feel' like you are the root user and realize exactly what you can do. And you should be attempting to deny any other users from having access to either of these interfaces. As a matter of fact, you will find out that root is not allowed to log into a a user share on SMB (and I would presume NFS). This was done for security reasons. A big security hole still to be plugged is the use of http for the GUI. Conversion to https is on the drawing boards and should be coming soon. I wanted to put some real thought into this reply, hence the delay. Not sure how that has worked though, given I am replying in the hotel bar I think what I have teased out here is a new requirement. I understand that access the webgui is seen as an administrative task. However, I access the webgui regularly for information only. I see this access as non administrative. As a result I don't want to store my server "root" credentials in my browser NOR do I want to type them in every time I want check some information in the webgui. I think what I am looking for is an unRAID webgui "Information View" - much like dd-wrt has (for those who are familiar) - without the raised privileges of root. I believe there is a usecase here that is not limited to just me. I have taken note of my behaviour over the last few days (which I think represents my typical behaviour) and the amount of times I access the webgui WITHOUT performing administrative tasks (i.e. for information / status only) is almost 95 (information)/5 (action)% split. This means that under the current design I am elevating myself to root when I really have no need to. Obviously this comes down to definitions of what information you consider to be "administrative only" but IMHO status of disks, reads/writes, docker status, vm status and the like etc is safe enough to expose without elevating to root OR at least give me an option to (like dd-wrt). I will think about this some more and will work on articulating this requirement (and now I read my dd-wrt comparison, I feel like I have mentioned this before - but can't remember the link) as per LT's guidance on doing so. P.S. Both replies so far have mentioned root access to shares. I am familiar with this design / restriction. This is not about shares. Quote Link to comment
CHBMB Posted September 29, 2016 Share Posted September 29, 2016 What are you trying to accomplish? You should have a strong password assigned to your root account if you have had security issues on the LAN side. But the Telnet access (and you should have shut straight Telnet down and be using SSH) and the GUI are administrator logins and are to be used only for administrative functions. Whenever you are using the GUI, you have full administrator (or root) privileges on the server and you should only be logging if you are intending to use them. You should 'feel' like you are the root user and realize exactly what you can do. And you should be attempting to deny any other users from having access to either of these interfaces. As a matter of fact, you will find out that root is not allowed to log into a a user share on SMB (and I would presume NFS). This was done for security reasons. A big security hole still to be plugged is the use of http for the GUI. Conversion to https is on the drawing boards and should be coming soon. I wanted to put some real thought into this reply, hence the delay. Not sure how that has worked though, given I am replying in the hotel bar I think what I have teased out here is a new requirement. I understand that access the webgui is seen as an administrative task. However, I access the webgui regularly for information only. I see this access as non administrative. As a result I don't want to store my server "root" credentials in my browser NOR do I want to type them in every time I want check some information in the webgui. I think what I am looking for is an unRAID webgui "Information View" - much like dd-wrt has (for those who are familiar) - without the raised privileges of root. I believe there is a usecase here that is not limited to just me. I have taken note of my behaviour over the last few days (which I think represents my typical behaviour) and the amount of times I access the webgui WITHOUT performing administrative tasks (i.e. for information / status only) is almost 95 (information)/5 (action)% split. This means that under the current design I am elevating myself to root when I really have no need to. Obviously this comes down to definitions of what information you consider to be "administrative only" but IMHO status of disks, reads/writes, docker status, vm status and the like etc is safe enough to expose without elevating to root OR at least give me an option to (like dd-wrt). I will think about this some more and will work on articulating this requirement (and now I read my dd-wrt comparison, I feel like I have mentioned this before - but can't remember the link) as per LT's guidance on doing so. P.S. Both replies so far have mentioned root access to shares. I am familiar with this design / restriction. This is not about shares. I may be wrong but I seem to recall jbrodriguez's ContrlR app has some sort of user management implemented. Don't know if that helps at all. Although I acknowledge that there's an argument for native webui implementation. Quote Link to comment
bidmead Posted October 24, 2020 Share Posted October 24, 2020 The request (for WebGUI read-only access) makes sense to me. And I too feel uncomfortable having to log in as "root". I stumbled onto this thread because I've been trying to create a second admin account called, er, admin and have discovered I can't do it. Any account added subsequent to root apparently has to be a user account. I was hoping to run a pair of admin/root accounts simultaneously (but very temporarily) so I could explore the capabilities of one without compromising my ability to get into WebGUI administration. This arose because I added a password to the default root account and then discovered that for some reason I was being denied admin access (of course, there's a simple fix if you're local to the physical server). Does anyone know of some kluge at the command line level that might provide a second admin account (like duplicating and editing the relevant entries in /config/password and associated files)? -- Chris 1 Quote Link to comment
SundarNET Posted November 26, 2021 Share Posted November 26, 2021 the ability to have user accounts be allocated various web sections for access to vms and / or dockers, shares, etc for obvious reasons, ie if there is more than one administrator of the server, I dont want to give out my super hard password to all the admins... this needs to be an Immediate addition for the web GUI, not just root login for web GUI this is living in noob land 1 Quote Link to comment
MoherPower Posted February 27, 2022 Share Posted February 27, 2022 Those days standard practice is to disable obvious accounts like root/admin/etc... and create hard to gues accounts and give them admin privilige. I am new user of unraid (from yesterday :P) and i am astonished that such advancesd system lacks so basic functionality. Root/admin accounts are first target of every 5yo kid who try to be hacker. Why can't I disable them for peace of my mind?? 1 Quote Link to comment
Squid Posted February 27, 2022 Share Posted February 27, 2022 Unraid is not designed to be directly facing the internet. Remote access if required should be done via a VPN (WireGuard) or a reverse Proxy (MyServers). 1 1 Quote Link to comment
MoherPower Posted March 19, 2022 Share Posted March 19, 2022 I was not talking about exposing GUT to internet. in companies with many PC there is alvays a possibility that some users may infect themselfs with any kind of software used by criminals to breake safeguards from inside. Beside this in those companies are also more than 1 admin. it would be very desirabe to make one account for one admin. that wahy you dont have to share root password to many people. You can just disable or remove account of admin that is not working any more. 2 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.