The new user from the ONVIF guide has administrative access (security issue)

[MikeVRT]

I'm not sure about right choice of sub-project. Please move it to firmware if it fits better there.

The user, created with that guide for ONVIF has WebUI administrative access.

The simple solution, from my point of view, is:
It may be better to allow only users in a special system group to log in to the WebUI.
For example, the root user is in the wheel group by default:
uid=0(root) gid=0(root) groups=0(root),10(wheel)
This 'marker' could be easily used as a condition to determine whether a user could access the system as root or just as an endpoint consumer. Just a simple check in the WebUI authentication code and an 'Access Denied' message if the user is not a member of the "right group".

[flyrouter]

Thank you for your message and suggestion.

At the moment the system is single-user but we have made a workaround that currently does not allow users other than "root" to enter the interface, but they can receive media content (jpeg, mjpeg, rtsp) and also execute .cgi scripts from the "/v" directory, control the backlight and some other actions of a regular user or an automated system.

This ticket will be closed after the information is transferred to the Wiki with explanations.

[MikeVRT]

but they can receive media content (jpeg, mjpeg, rtsp)

I found an issue:
endpoints 'image.jpg' and '/night/toggle' (maybe other) work only under root authorization after update.
The user was created using the command "adduser viewer -s /bin/false -D -H" and had worked well before.

This is the actual version for today (2.4.03.31).

[MikeVRT]

The bug still here - v.2.5.05.19
Endpoints like image.jpg are not accessible via non-root credentials in the link. Only non-root links to the RTSP streams still work.

[MikeVRT]

endpoints 'image.jpg' and '/night/toggle'

some changes on 2.5.12.12-lite:
http://nonroot:pwd@camerahost/night/toggle - works now
http://nonroot:pwd@camerahost/image.jpg - still doesn't work (asks for auth)