Cannot delete or rename admin user via GUI
Using the Internal user AUTH system gives the default admin user with admin / changeme as the credentials
Currently you cannot delete this user via the user interface (it gives a nice error saying you cant delete it) it would be good to allow this account to be deleted IF there is another administrator account configured, this would help people being security conscious who use the foreman user auth system on its own to help prevent brute force attacks by not giving a would be attacker half of your user credentials out of the box
ultimately it would be awesome to be able to rename or control the username of the main admin account at setup time (in a wordpress style fashion to give a reasonable example)
Although this is a Feature request really, i would consider it a security bug personally so have left it as such pending better classification by others
I should point out also that I was able to successfully remove the admin user from the database via standard mysql tools and it has had no abnormal effects so far in my limited testing
#1 Updated by Ohad Levy over 6 years ago
- Assignee deleted (
Sadly removing it is not a real option (we relay on the fact the user always exists)We could consider
- disable / lock the account
- change our default admin user assumption to an internal locked account, this might be better long term for auditing where you could see which actions were triggered by a user and others by an event (e.g. fact import)
#2 Updated by Anthony Somerset over 6 years ago
Disabling or locking does seem a sensible option - i did notice on my install that the account did just get recreated anyway
what is it actually needed for if login is enabled? (or more precisely what would break by not having the account)
i'm trying to write a patch to at least allow it to be renamed and assume it will always have ID 1 and use the ID for the search rather than the name to at least allow security conscious people to rename the account
#3 Updated by Ohad Levy over 6 years ago
I think it would be probably best to add a locked attribute (or status that can handle multiple status - admin / locked / ..?)
and then simply add to the authentication method another check to ensure the account is not locked.
the admin account is always recreated, so I'm not sure relaying on the user id is the right way forward.
#5 Updated by Dominic Cleal almost 5 years ago
- Description updated (diff)
- Status changed from New to Duplicate
Closing, as we're tackling this via #3272. The suggested patch uses an internal-only account where necessary, but then allows the interactive admin account to be replaced, deleted, renamed etc.