Meshcentral: If NewAccounts is set to true before the first account is created, the first user does not have full admin privileges

Created on 27 Sep 2019  路  8Comments  路  Source: Ylianst/MeshCentral

Problem Description: When I create the first user for the site ("" domain), that user is missing permissions to add other users and the tools menu.

I see in https://github.com/Ylianst/MeshCentral/issues/221 you added the permissions for the new users, however, it's a bit of a weird user experience, which I'm not sure was intended or not.

The flow looks like this:
-> Administrator installs software (Mesh Central Server)
-> User creates first user (lets call him 'admin')
-> User cannot add any other user
-> User does research to determine whats wrong
-> User has Administrator stop mesh central service
-> User has Administrator add "NewAccountsRights": [ "fulladmin" ]
-> User has Administrator start mesh central service
-> User creates another user who is actually a super user (let's call him 'root')
-> User hopes no one else creates an account at the same time
-> User has Administrator stop mesh central service
-> User has Administrator add ""NewAccountsRights": [ "nonewgroups", "notools" ]" (this is apparently the default, so you can also remove the NewAccountsRights entry all together)
-> User has Administrator start mesh central service
-> Normal operations

In this instance, I'm the user and the administrator is a different team, so these requests can take a few days to make live.

For the longest time I just thought I was creating the first user wrong, or the administrator wasn't able to install the software correctly. Can this process be adjusted a bit, maybe something like this :

1) When a new domain is seen in the config file, create a user (let's call him 'admin') with full permissions ('fulladmin')
2) Create a temporary secure password (randomly generated, not the same for everyone) and present to the user (on the screen, and maybe in the logs?) when a new domain is instantiated. (so, on service startup, "New domain found, created user 'admin' with the password '!vKDA!?FnZ')
3) On login, you force the user to change the password
4) If the user wants, allow them to rename the account to something else (Like root)

Alternately, I may just be doing it wrong, please let me know.

Fixed - Confirm & Close bug
Source
picture darryl-h

Most helpful comment

Fixed it, will be in the next release I publish later today. This was a really good find.

picture Ylianst on 27 Sep 2019
👍2

All 8 comments

So, before going too far with this. The first user should get full administrator rights. When running the server for the first time, should should see this line:

x

I just tried it now and when creating a new user, I get full admin rights. Is there anything unusual with your setup?

I am not going to make the creation of the first user any more difficult since many people want to quickly try MeshCentral and not have to jump thru a complicated initial setup. However, I am willing to consider an additional optional lock in the config.json for the first user for professional users.

Ylianst picture Ylianst on 27 Sep 2019

I'm able to reproduce this if NewAccounts is set to true _before_ the first account is created.

  1. npm install meshcentral
  2. node node_modules\meshcentral
  3. Ctrl+C
  4. notepad meshcentral-data\config.json
    Enable {"settings": { "domains": { "": { "NewAccounts": true } } } }
  5. node node_modules\meshcentral
  6. Create first user.
    First user does not have full admin privileges.
MailYouLater picture MailYouLater on 27 Sep 2019
🚀2

@Ylianst If working the way you describe, I'm 100% fine with this, I thought you wanted the security for NewAccountsRights to apply to the first account as well. (Because this is how it was behaving for me)

@MailYouLater Nice! In my case, that would be the case, but I'm at a loss as to how you would create the first account for a subdomain without the NewAccounts being set to true, and maybe that's the problem? (I'm creating the first user incorrectly for subdomains?)

darryl-h picture darryl-h on 27 Sep 2019

Wow! @MailYouLater that is amazing investigative work. I will fix that tomorrow when I get in the office. Thank you!

Ylianst picture Ylianst on 27 Sep 2019

I finally grok the issue, this was a VERY unusual situation. I thought that NewAccounts was the explicit mechanism used to allow the "Don't have an account? Create one" button to be visible, and my thought process was, if that's not true, how do I create that first user?

If "NewAccounts" is set to false and I create a new domain, then the "Don't have an account? Create one" button will be visible and first account will have full permissions (This is actually what I wanted all along, but the name "NewAccounts" was a bit misleading for me, if possible, consider renaming to "NewUserAccounts")

@Ylianst I'm happy to close this so you can work on more productive bugs.

darryl-h picture darryl-h on 27 Sep 2019

Fixed it, will be in the next release I publish later today. This was a really good find.

Ylianst picture Ylianst on 27 Sep 2019
👍2

Published MeshCentral v0.4.1-m with the fix for this.

Ylianst picture Ylianst on 27 Sep 2019

Tested v0.4.1-n, confirmed that when "NewAccounts" is set to true, the first admin user is created correctly.

darryl-h picture darryl-h on 2 Oct 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

M1CK431 picture M1CK431  路  3Comments
hellofaduck picture hellofaduck  路  3Comments
vish84 picture vish84  路  3Comments
nroach44 picture nroach44  路  3Comments
robclay picture robclay  路  3Comments