diff options
author | Phil Davis <phil.davis@inf.org> | 2017-01-02 17:45:37 +0545 |
---|---|---|
committer | Phil Davis <phil.davis@inf.org> | 2017-01-02 17:45:37 +0545 |
commit | 57188e4752b9606c54cd49f4d8f96ec0fc38f8f3 (patch) | |
tree | c035bdc261d27847a7dd4667f7a3d83ff8a2fe18 /src/usr/local/www/system_usermanager.php | |
parent | 8db81fbcaa33012cb4fa573312a8f72ed3660dd1 (diff) | |
download | pfsense-57188e4752b9606c54cd49f4d8f96ec0fc38f8f3.zip pfsense-57188e4752b9606c54cd49f4d8f96ec0fc38f8f3.tar.gz |
Add security notes for privilege assignment pages
Suggested solution for Redmine 2247
Diffstat (limited to 'src/usr/local/www/system_usermanager.php')
-rw-r--r-- | src/usr/local/www/system_usermanager.php | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/src/usr/local/www/system_usermanager.php b/src/usr/local/www/system_usermanager.php index fca8657..c4bca18 100644 --- a/src/usr/local/www/system_usermanager.php +++ b/src/usr/local/www/system_usermanager.php @@ -29,6 +29,7 @@ ##|*IDENT=page-system-usermanager ##|*NAME=System: User Manager ##|*DESCR=Allow access to the 'System: User Manager' page. +##|*WARN=standard-warning-root ##|*MATCH=system_usermanager.php* ##|-PRIV @@ -443,6 +444,7 @@ function build_priv_table() { $privhtml .= '<tbody>'; $i = 0; + $user_has_root_priv = false; foreach (get_user_privdesc($a_user[$id]) as $priv) { $group = false; @@ -453,7 +455,12 @@ function build_priv_table() { $privhtml .= '<tr>'; $privhtml .= '<td>' . htmlspecialchars($priv['group']) . '</td>'; $privhtml .= '<td>' . htmlspecialchars($priv['name']) . '</td>'; - $privhtml .= '<td>' . htmlspecialchars($priv['descr']) . '</td>'; + $privhtml .= '<td>' . htmlspecialchars($priv['descr']); + if (isset($priv['warn']) && ($priv['warn'] == 'standard-warning-root')) { + $privhtml .= ' ' . gettext('(root privilege)'); + $user_has_root_priv = true; + } + $privhtml .= '</td>'; $privhtml .= '<td>'; if (!$group) { $privhtml .= '<a class="fa fa-trash no-confirm icon-pointer" title="' . gettext('Delete Privilege') . '" id="delprivid' . $i . '"></a>'; @@ -467,6 +474,17 @@ function build_priv_table() { } } + if ($user_has_root_priv) { + $privhtml .= '<tr>'; + $privhtml .= '<td colspan="3">'; + $privhtml .= '<b>' . gettext('Security notice: This user effectively has root privilege') . '</b>'; + $privhtml .= '</td>'; + $privhtml .= '<td>'; + $privhtml .= '</td>'; + $privhtml .= '</tr>'; + + } + $privhtml .= '</tbody>'; $privhtml .= '</table>'; $privhtml .= '</div>'; |