Make Superuser remain accessible even through bans

[Stefan-comkmits]

Why is Possible Ban Superuser?

2019-11-16 17:29:48.897 1 => Ignoring connection: 127.0.0.1:1581 (Global ban) I think there is more Information needet,about Ban status to the User, and SuperUser Should ever Connnecting to the Server.

[Krzmbrzl]

Who banned the SuperUser? What permissions did that user have?

[Stefan-comkmits]

I have Admin Rights,and Ban a UnregistretUser,on Local Maschine (127.0.0.1). And then Not Only the User is Banned,also the IP is Banned.

Make sense for StandartUsers,but the SuperUser is then even unable to connect from a Banned IP.

[Krzmbrzl]

Ah okay now I think I understand. Let me summarize to make sure, we are on the same page:

• You connect from your local machine to your local server as an unregistered user
• You ban yourself from the server
• You try again to connect to that server from your local machine but this time you connect as a registered user (the SuperUser)
• The server still won't let you connect as the ban is associated with an IP and not a user

Is that correct?

[Stefan-comkmits]

I ban with my Real User (Admin/on Client1) the Unregistret (on Client2/Multi Mumble),yes.

And i think its Possible not Only on Local Maschine (its of course a esoteric Mode). But whats when i behind a NAT?

I Think when i am behind a NAT,and i Banned a User behind the same NAT, i can not Connecting with any User,to Remove that Mistake.

[Krzmbrzl]

Without looking into the code I assume that a ban is always registered for a certain IP address which makes sense because what else should you ban for an arbitrary client. One should however distinguish between an unregistered user an a registered one. In the former case you should ban the IP and in the latter that specific user.

And when a client is connected the checking should be done in the same fashion. Check the IP for an unregistered user to see if it has been banned but for a registered one, check the user itself, regardless of the IP.

@davidebeatrici @Kissaki thoughts on this?

[davidebeatrici]

We could also add a prompt, asking the user whether he wants to ban the IP address in addition to the account.

[Kissaki]

The bans can contain any one or multiple of:

• IP address (individual or ranges)
• username/nickname
• certificate hash = user identification (a registered user will always be this, but it also works if the user is not registered as long as they keep their user certificate)

From the ban list / ban editor:

Doesn’t the add ban dialog already provide choices for this? I can't test here without users.

[Kissaki]

@Stefan-comkmits So what you are saying is an ip-banned user should be able to log in to the superuser account?

I don’t think I agree with that. A ban is a ban, and for a reason.

[Stefan-comkmits]

@Kissaki In a IPv6 world who have every User his own IPv6 adress,you have right. The Problem is,NAT is Real in the World.

Its sad a Moderator can Block the Owner. And if wand,you can change the IP in multiple way. For this Reason a ip Ban should hav a lower priority,as a Superuser Login.

[Kissaki]

Would you want or expect user certificate bans to be ignored on SuperUser logins as well?

Feel free to create a feature request for that with your reasoning.

I think this ticket is a bit too unspecific. It was useful to find a common understanding, but probably did its job now and can be closed?

You also said

I think there is more Information needed, about Ban status to the User

which was not specified yet. Where do you want more information? The login deny explicitly states that it is a global ban that denies it.

[Stefan-comkmits]

From my Point of View the SuperUser is to Overwrite Everything. I Make a Mistake(in my case i Ban User for Testing,and cannot Login with my User),and then i can Repair it with Login as SuperUser.

I think this ticket is a bit too unspecific. It was useful to find a common understanding, but probably did its job now and can be closed?

Yes,fell free to Close it. I think you have Understand my Point a little bit.

Thank you,for your Work. :1st_place_medal:

[Krzmbrzl]

From my Point of View the SuperUser is to Overwrite Everything.

I think I have to agree with Stefan on this one. I mean what is the point of a SuperUser if not having special privileges others don't have. And presumably the SuperUser is the one responsible for the server (if not the owner) so denying him/her access to it seems very weird...

[Kissaki]

That is assuming authentication is valid and non-destructive. Suppose your superuser password got leaked, for one reason or another, but the user or malicious participants ip network is banned, then disregarding bans on superuser authentication would be a big problem.

Another thing to consider is that banning could be an effective counter-measure for specific types of DoS attacks; if the aggressor were spamming authentication requests. Again, disregarding bans on superuser authentication would open that door again.

[Krzmbrzl]

If the SuperUser password is leaked, there are problems in any case. Don't really see that as an argument against the case here...

For the DoS-part: The server has to check whether the user is banned on connect anyways. Thus previously checking whether it is the SuperUser (with the correct password), shouldn't hurt much (I think). I don't see how that would make a DoS attack more potent :thinking:

[Kissaki]

I was thinking that root access (or a provided web access by a hoster) where you would also set or disable the superuser would be acceptable, or possibly preferably.

But I agree now that we should probably also allow a workflow where that access is not available. In that case the superuser password is set and the login needs to remain accessible in all cases as the fallback.

[Kissaki]

We may want to provide a configuration setting to disable that though. But maybe in those cases simply disabling the account (unsetting the password) would be preferable and acceptable. That would save us the configuration setting and its implementation.