core
core copied to clipboard
opnsense
nextuid get reset after importing from a backup
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
- [X] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
- [X] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue
Describe the bug
When we import a config backup from one opnsense to an another one including users the nextuid was ignored on 2 machines. So after adding new user on the web ui the uid was (re)starting from the initial 2000 causing uid collision (2 users had the same uid)
To Reproduce
Steps to reproduce the behavior:
- Create a config backup on opnsense-01
- Import the backup on opnsense-02
- Check the created users (Lookong good)
- Create a new user on opnsense-02
- The new user have the initial UID of 2000
Expected behavior
When importing a config backup it should respect the nextuid parameter and should not restart the UID creation.
Environment
Software version used and hardware type if relevant, e.g.:
OPNsense 24.1.5_3-amd64. Intel Xeon Processor (Skylake, IBRS) (4 cores, 8 threads)
Step 1: unclear WRT relevant contents of config.xml Step 3: Unclear where a user was created that was "ok" (what does "ok" mean?)
This issue is already old and it is really annoying, affecting specially OpenVPN clients. It's not only the nextuid, but also nextgid, so both: users and groups. After restore, instead of using the nextuid and nextgid values from the backup xml file, it keeps the original values. E.g. If your system has 2 users and 1 group and you restore a backup with 200 users and 5 groups, nextuid is still 2002 and nextgid is 2001. So, when you create a new user - it will get the uid 2002, but that is already used by another user (uid from backup 2001-2200). The new user will work just fine, but the original user will be able to login to OpenVPN server for example, but it will not reach any network you have. Same issue with the groups.
As workaround: we edit the backup file change the uid and gid to 3xxx and restore again. Another stupid way is to create a new user and then delete it (in the case above - you create 200 users) so you can increase the nextuid to reach 2200 - probably this can be automated.
OPNsense 24.1.2_1-amd64 FreeBSD 13.2-RELEASE-p10 OpenSSL 3.0.13
a full backup+restore warrants a consistent state, partial backups (of any section) have downsides as also mentioned in the documentation (https://docs.opnsense.org/manual/backups.html#backup).
The issue is present also when doing full restore. In our case we had to change the hardware, so fresh OpnSense install and then restore full backup.
That is highly unlikely, but also easy to test. [1] start with a clean install [2] add one user [3] download the config [4] reimport the same configuration [5] and download the config again
Next perform a diff between [3] and [5]
A full restore (Restore areas: All) is practically the same as overwriting the /conf/config.xml file with the one downloaded
There is no diff between [3] and [5]. I've done more tests. Full restore works just fine. Indeed it seems the problem is present when restoring only "Users and Groups". When restoring only "Users and Groups" the values for nextuid and nextgid are not affected, they remain the same. We realized that our full backup had already wrong nextuid and nextgid values.
What we did now to fix it (no downtime) - changed in config.xml nextuid and nextgid values. Creating a new user: uid is the modified nextuid. We can delete the users with duplicate uid and recreate them - they will get good uid and OpenVPN will work fine.
Thanks @AdSchellevis
At some point in time we will refactor the user manager to new mvc code, that might also be a good moment to revise how this works. Strictly speaking it's not needed to have double accounting on used numbers for users and groups.