Project

General

Profile

Actions
Copy link

Bug #3060

open

Remove YAML host permissions from basic users,

Added by Jim Perrin over 10 years ago. Updated about 7 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Users, Roles and Permissions
Target version:
-
Difficulty:
Triaged:
Bugzilla link:
1437789
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

A default user with no permissions granted, can view a host and click the 'yaml' option, which will output a rootpw hash. This is not ideal and with the appropriate rainbow tables or similar toolkit could lead to a compromise.

Related issues 2 (1 open1 closed)

Related to Foreman - Bug #2069: (encrypted) root passwords are world readableClosedDominic Cleal10/07/2009Actions
Related to Foreman - Bug #5878: Reports - view_reports role gives view_hosts roleNew05/22/2014Actions
Actions
Copy link
 #1

Updated by Dominic Cleal over 10 years ago

  • Related to Bug #2069: (encrypted) root passwords are world readable added
Actions
Copy link
 #2

Updated by Dominic Cleal over 10 years ago

  • Category changed from Web Interface to Users, Roles and Permissions

I think we could improve on this with a dedicated permission for access to password hashes, so they're not readable to other users from either the YAML output or the APIs.

Actions
Copy link
 #3

Updated by Dominic Cleal almost 10 years ago

  • Related to Bug #5878: Reports - view_reports role gives view_hosts role added
Actions
Copy link
 #4

Updated by Tomer Brisker about 7 years ago

  • Bugzilla link set to 1437789
Actions
Copy link

Also available in: Atom PDF