Fossil: Check-in [8ec908d1a0]

Fossil SCM

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Added the "Setup-Only Features" section to admin-v-setup.md.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256:8ec908d1a06ffc4020b8212feda5727d50a00a4c2d582864b2925ace9b0843fe
User & Date: wyoung 2018-12-01 00:27:08
Context
2018-12-01
05:49
The recent change that allows Admin-only users to edit the skin affected the setup.c side of things only: there were also several bits in skins.c that checked for g.perm.Setup, so an Admin-only user couldn't actually do anthing useful. check-in: 7b58c6fdde user: wyoung tags: trunk
00:27
Added the "Setup-Only Features" section to admin-v-setup.md. check-in: 8ec908d1a0 user: wyoung tags: trunk
2018-11-30
23:37
Added www/admin-v-setup.md to the permuted index check-in: 969380a562 user: wyoung tags: trunk
Changes

Changes to www/admin-v-setup.md.

   229    229   Setup capability can subsequently say [`fossil conf pull all`][fcp] to
   230    230   update that table and everything else not normally synchronized between
   231    231   Fossil repositories. In this way, a Setup user can create multiple
   232    232   interchangeable clones. This is useful not only to guard against rogue
   233    233   Admin-only users, it is a useful element of a load balancing and
   234    234   failover system.
   235    235   
          236  +
          237  +## Setup-Only Features
          238  +
          239  +Some features are now and must always be restricted to Setup users only.
          240  +
          241  +*   **Configuration**: The Admin → Configuration page nominally falls
          242  +    under Cosmetics above, but it's such a core part of the Fossil
          243  +    configuration — something every Setup user is expected to fully
          244  +    specify on initial repository setup — that we have trouble
          245  +    justifying any case where an Admin-only user would have good cause
          246  +    to modify any of it. This page is generally set up once and then
          247  +    never touched again.
          248  +
          249  +*   **Access**: The Admin → Access page falls under the Security
          250  +    category above, but like Configuration, it's generally something set
          251  +    up once and never touched, so only Setup users should change it.
          252  +
          253  +*   **Login-Group**: Login groups allow one Fossil repository to
          254  +    delegate user access to another. Since an Admin-only user on one
          255  +    repo might not have such access to another repo on the same host
          256  +    system, this must be a Setup-only task.
          257  +
          258  +*   **Settings**: The [repository settings][rs] available via Admin →
          259  +    Settings have too wide a range of power to allow modification by
          260  +    Admin-only users:
          261  +
          262  +    *   <p><b>Harmless</b>: Admin-only users on a repository may well
          263  +        have checkin rights on the repository, so the fact that
          264  +        versionable settings like `crlf-glob` can also be set at the
          265  +        repository level seems like a thing we might want to allow
          266  +        Admin-only users the ability to change. Since Fossil currently
          267  +        has no way to allow only some settings to be changed by
          268  +        Admin-only users and some not, we can't just show these harmless
          269  +        settings to Admin-only users.</p>
          270  +
          271  +    *   <p><b>Low-Risk</b>: The <tt>admin-log</tt> setting controls
          272  +        whether the Fossil admin log is generated. Since we've <a
          273  +        href="#log">already decided</a> that Admin-only users can see
          274  +        this log, it seems fine that the Admin users can choose whether
          275  +        this log gets generated in the first place.</p>
          276  +
          277  +        <p>There's a small risk that a rogue Admin user could disable
          278  +        the log before doing something evil that the log would capture,
          279  +        so ideally, we'd want to restrict changing this setting from 1
          280  +        to 0 to Setup only while allowing Admin-only users to change it
          281  +        from 0 to 1. Fossil doesn't currently allow that.</p>
          282  +
          283  +    *   <p><b>Risky</b>: The <tt>https-login</tt> setting falls under
          284  +        the "Security" section above, but it should probably never be
          285  +        adjusted by Admin-only users. Sites that want it on will never
          286  +        want it to be disabled without a very good reason.</p>
          287  +        
          288  +        <p>There is also an inverse risk: if the site has a front-end
          289  +        HTTPS proxy that uses HTTP to communicate over localhost to
          290  +        Fossil, enabling this setting will create an infinite redirect
          291  +        loop! (Ask me how I know.)</p>
          292  +
          293  +    *   <p><b>Dangerous</b>: The <tt>email-send-command</tt> setting
          294  +        could allow a rogue Admin to run arbitrary commands on the host
          295  +        system, unless it's prevented via some kind of host-specific
          296  +        restriction.  (chroot, jails, SELinux, VMs, etc.) Since it makes
          297  +        no sense to trust Admin-only users with <tt>root</tt> level
          298  +        access on the host system, we almost certainly don't want to
          299  +        allow them to change such settings.</p>
          300  +
          301  +*   **SQL**: The Admin → SQL feature allows the Setup user to enter raw
          302  +    SQL queries against the Fossil repository via Fossil UI. This not
          303  +    only allows arbitrary ability to modify the repository blockchain
          304  +    and its backing data tables, it can probably also be used to damage
          305  +    the host such as via `PRAGMA temp_store = FILE`.
          306  +
          307  +*   **TH1**: The [TH1 language][TH1] is quite restricted relative to
          308  +    Tcl, so this author does not believe there is a way to damage the
          309  +    Fossil repository or its host via this feature. Nevertheless,
          310  +    interpreters are a well-known source of security problems, so it
          311  +    seems best to restrict this to Setup users only until we have a good
          312  +    reason why Admin-only users should also have access to it.
          313  +
   236    314   
   237    315   [fcp]:   https://fossil-scm.org/fossil/help?cmd=configuration
   238    316   [forum]: https://fossil-scm.org/forum/
          317  +[rs]:    https://www.fossil-scm.org/index.html/doc/trunk/www/settings.wiki
   239    318   [sia]:   https://fossil-scm.org/fossil/artifact?udc=1&ln=1259-1260&name=0fda31b6683c206a
          319  +[th1]:   https://www.fossil-scm.org/index.html/doc/trunk/www/th1.md
   240    320   [tt]:    https://en.wikipedia.org/wiki/Tiger_team#Security
   241    321   [ucap]:  https://fossil-scm.org/fossil/setup_ucap_list