Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Assorted small improvements to admin-v-setup.md. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
eadf2644e4b469805b4e274257459af0 |
| User & Date: | wyoung 2018-12-01 06:17:28 |
Context
|
2018-12-01
| ||
| 06:19 | Typo fix (check-in: 572574d1 user: wyoung tags: trunk) | |
| 06:17 | Assorted small improvements to admin-v-setup.md. (check-in: eadf2644 user: wyoung tags: trunk) | |
| 05:49 | The recent change that allows Admin-only users to edit the skin affected the setup.c side of things only: there were also several bits in skins.c that checked for g.perm.Setup, so an Admin-only user couldn't actually do anthing useful. (check-in: 7b58c6fd user: wyoung tags: trunk) | |
Changes
Changes to www/admin-v-setup.md.
103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 ... 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 ... 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 |
of the Setup user: delete accounts created by spammers, fix email
alert subscriptions, reset passwords, etc.
* **Security audit**: The Admin → Security-Audit page runs several
tests on the Fossil repository's configuration, then reports
potential problems it found and offers canned solutions. Those
canned solutions do not do anything that an Admin-user could not do
via other means. For example, this page's "Take it Private" feature
can also be done manually via Admin → Users.
* **Logging**:<a id="log"></a> Admin-only users get to see the various
Fossil logs in case they need to use them to understand a problem
they're empowered to solve. An obvious example is a spam attack: the
Admin might want to find the user's last-used IP, see if they cloned
the repository, see if they attempted to brute-force an existing
login before self-registering, etc.
................................................................................
* <p>[Email alerts](./alerts.md) and [backoffice](./backoffice.md)
status. Admin-only users cannot modify the email alerts setup,
but they can see some details about its configuration and
current status.</p>
* <p>The `/urllist` page, which is a read-only page showing the
ways the repository can be accessed and how it has been accessed in
the past. Logically, this is an extension to logging, [covered
below](#log).</p>
* <p>The Fossil repository SQL schema. This is not particularly
sensitive information, since you get more or less the same
information when you clone the repository. It's restricted to
Admin because it's primarily useful in debugging SQL errors,
which happen most often when Fossil itself is in flux and the
schema isn't being automatically updated correctly. That puts
................................................................................
* **SQL**: The Admin → SQL feature allows the Setup user to enter raw
SQL queries against the Fossil repository via Fossil UI. This not
only allows arbitrary ability to modify the repository blockchain
and its backing data tables, it can probably also be used to damage
the host such as via `PRAGMA temp_store = FILE`.
* **TH1**: The [TH1 language][TH1] is quite restricted relative to
Tcl, so this author does not believe there is a way to damage the
Fossil repository or its host via this feature. Nevertheless,
interpreters are a well-known source of security problems, so it
seems best to restrict this to Setup users only until we have a good
reason why Admin-only users should also have access to it.
[fcp]: https://fossil-scm.org/fossil/help?cmd=configuration
[forum]: https://fossil-scm.org/forum/
[rs]: https://www.fossil-scm.org/index.html/doc/trunk/www/settings.wiki
[sia]: https://fossil-scm.org/fossil/artifact?udc=1&ln=1259-1260&name=0fda31b6683c206a
[th1]: https://www.fossil-scm.org/index.html/doc/trunk/www/th1.md
[tt]: https://en.wikipedia.org/wiki/Tiger_team#Security
[ucap]: https://fossil-scm.org/fossil/setup_ucap_list
|
> | | > > | | | | | | > > | < < > > |
103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 ... 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 ... 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 |
of the Setup user: delete accounts created by spammers, fix email
alert subscriptions, reset passwords, etc.
* **Security audit**: The Admin → Security-Audit page runs several
tests on the Fossil repository's configuration, then reports
potential problems it found and offers canned solutions. Those
canned solutions do not do anything that an Admin-user could not do
via other means, so this page offers the Admin-only user no more
power than they otherwise had. For example, this page's "Take it
Private" feature can also be done manually via Admin → Users. This
page is a convenience, not a grant of new power to the Admin-only
user.
* **Logging**:<a id="log"></a> Admin-only users get to see the various
Fossil logs in case they need to use them to understand a problem
they're empowered to solve. An obvious example is a spam attack: the
Admin might want to find the user's last-used IP, see if they cloned
the repository, see if they attempted to brute-force an existing
login before self-registering, etc.
................................................................................
* <p>[Email alerts](./alerts.md) and [backoffice](./backoffice.md)
status. Admin-only users cannot modify the email alerts setup,
but they can see some details about its configuration and
current status.</p>
* <p>The `/urllist` page, which is a read-only page showing the
ways the repository can be accessed and how it has been accessed
in the past. Logically, this is an extension to logging,
[covered above](#log).</p>
* <p>The Fossil repository SQL schema. This is not particularly
sensitive information, since you get more or less the same
information when you clone the repository. It's restricted to
Admin because it's primarily useful in debugging SQL errors,
which happen most often when Fossil itself is in flux and the
schema isn't being automatically updated correctly. That puts
................................................................................
* **SQL**: The Admin → SQL feature allows the Setup user to enter raw
SQL queries against the Fossil repository via Fossil UI. This not
only allows arbitrary ability to modify the repository blockchain
and its backing data tables, it can probably also be used to damage
the host such as via `PRAGMA temp_store = FILE`.
* **TH1**: The [TH1 language][TH1] is quite restricted relative to the
Tcl language it descends from, so this author does not believe there
is a way to damage the Fossil repository or its host via the Admin →
TH1 feature, which allows exeuction of arbitrary TH1 code within the
repository's execution context. Nevertheless, interpreters are a
well-known source of security problems, so it seems best to restrict
this feature to Setup-only users as long as we lack a good reason
for Admin-only users to have access to it.
[fcp]: https://fossil-scm.org/fossil/help?cmd=configuration
[forum]: https://fossil-scm.org/forum/
[rs]: https://www.fossil-scm.org/index.html/doc/trunk/www/settings.wiki
[sia]: https://fossil-scm.org/fossil/artifact?udc=1&ln=1259-1260&name=0fda31b6683c206a
[th1]: https://www.fossil-scm.org/index.html/doc/trunk/www/th1.md
[tt]: https://en.wikipedia.org/wiki/Tiger_team#Security
[ucap]: https://fossil-scm.org/fossil/setup_ucap_list
|