Project

General

Profile

Bug #3060

Remove YAML host permissions from basic users,

Added by Jim Perrin about 6 years ago. Updated over 2 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Authorization
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

A default user with no permissions granted, can view a host and click the 'yaml' option, which will output a rootpw hash. This is not ideal and with the appropriate rainbow tables or similar toolkit could lead to a compromise.


Related issues

Related to Foreman - Bug #2069: (encrypted) root passwords are world readableClosed2009-10-07
Related to Foreman - Bug #5878: Reports - view_reports role gives view_hosts roleNew2014-05-22

History

#1 Updated by Dominic Cleal about 6 years ago

  • Related to Bug #2069: (encrypted) root passwords are world readable added

#2 Updated by Dominic Cleal about 6 years ago

  • Category changed from Web Interface to Authorization

I think we could improve on this with a dedicated permission for access to password hashes, so they're not readable to other users from either the YAML output or the APIs.

#3 Updated by Dominic Cleal over 5 years ago

  • Related to Bug #5878: Reports - view_reports role gives view_hosts role added

#4 Updated by Tomer Brisker over 2 years ago

  • Bugzilla link set to 1437789

Also available in: Atom PDF