CLI user creation - works up to release 0.7.1

Jim Meyer

unread,

May 15, 2024, 7:16:17 PM5/15/24

to velociraptor-discuss

When creating accounts via cli there are different results:

Releases 0.7.1, 0.72.0 and 0.72.1 accounts created are listed in /opt/velociraptor/users/<account.db> and /opt/velociraptor/acl/<account.json.db> with velociraptor:velociraptor ownership of the files
Release 0.7.1 visible in GUI
Release 0.72.0 and 0.72.1 not visible in GUI

I am using the following pattern as user "velociraptor":

velociraptor user add --role=investigator "user" "password"

I can manually or through the API add one account at a time and that appears successfully in GUI for release 0.72.x. I have taken the default configuration options. Any ideas on resolution? Thanks

Mike Cohen

unread,

May 15, 2024, 11:25:26 PM5/15/24

to Jim Meyer, velociraptor-discuss

Hi Jim,

In recent versions the user manager is caching user accounts in the running process memory. When you run the `velociraptor user add --role=investigator "user" "password"` command it writes the user records in the filestore but the user manager is not seeing those updates immediately.

This is the same reason you can not generally just modify the underlying files an app is running on without notifying the app. If you restart the service, the user manager will pick up the new accounts but until then there is no way to notify it of changes in storage.

This is the reason that it is now recommended to add/remove user accounts via the API or VQL function in the notebook (or indeed the GUI) because this properly notifies the user manager of changes which are immediately visible. Same goes for most other changes including ACLs

See https://docs.velociraptor.app/vql_reference/server/user_create/ https://docs.velociraptor.app/vql_reference/misc/user_grant/ and this

https://docs.velociraptor.app/docs/server_automation/server_api/#using-the-shell-for-automation

to see how to call the API from the shell. We should probably just remove the `user add` command from the command line or maybe add a warning that changes will not be visible until service restart.

Thanks

Mike

Mike Cohen
Digital Paleontologist,
Velocidex Enterprises

E mi...@velocidex.com

--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/0a7ab843-b897-4813-bcbd-ad3a73aa76dfn%40googlegroups.com.

Jim Meyer

unread,

May 16, 2024, 9:09:08 PM5/16/24

to velociraptor-discuss

Hi Mike,

Thanks! Restarting the 'velociraptor_service' successfully resolved the issue. The initial restart attempt didn't update the user list in the GUI, likely due to root ownership of the .db files. I'll explore creating user accounts directly through the API instead. I've found the VQL (Velociraptor Query Language) for adding individual users, and I'll adapt it to import user data from a CSV file.