Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.
|Comment:||Added the "Setup-Only Features" section to admin-v-setup.md.|
|Downloads:||Tarball | ZIP archive | SQL archive|
|Timelines:||family | ancestors | descendants | both | trunk|
|Files:||files | file ages | folders|
|User & Date:||wyoung 2018-12-01 00:27:08|
|05:49||The recent change that allows Admin-only users to edit the skin affected the setup.c side of things only: there were also several bits in skins.c that checked for g.perm.Setup, so an Admin-only user couldn't actually do anthing useful. check-in: 7b58c6fdde user: wyoung tags: trunk|
|00:27||Added the "Setup-Only Features" section to admin-v-setup.md. check-in: 8ec908d1a0 user: wyoung tags: trunk|
|23:37||Added www/admin-v-setup.md to the permuted index check-in: 969380a562 user: wyoung tags: trunk|
Changes to www/admin-v-setup.md.
229 229 Setup capability can subsequently say [`fossil conf pull all`][fcp] to 230 230 update that table and everything else not normally synchronized between 231 231 Fossil repositories. In this way, a Setup user can create multiple 232 232 interchangeable clones. This is useful not only to guard against rogue 233 233 Admin-only users, it is a useful element of a load balancing and 234 234 failover system. 235 235 236 + 237 +## Setup-Only Features 238 + 239 +Some features are now and must always be restricted to Setup users only. 240 + 241 +* **Configuration**: The Admin → Configuration page nominally falls 242 + under Cosmetics above, but it's such a core part of the Fossil 243 + configuration — something every Setup user is expected to fully 244 + specify on initial repository setup — that we have trouble 245 + justifying any case where an Admin-only user would have good cause 246 + to modify any of it. This page is generally set up once and then 247 + never touched again. 248 + 249 +* **Access**: The Admin → Access page falls under the Security 250 + category above, but like Configuration, it's generally something set 251 + up once and never touched, so only Setup users should change it. 252 + 253 +* **Login-Group**: Login groups allow one Fossil repository to 254 + delegate user access to another. Since an Admin-only user on one 255 + repo might not have such access to another repo on the same host 256 + system, this must be a Setup-only task. 257 + 258 +* **Settings**: The [repository settings][rs] available via Admin → 259 + Settings have too wide a range of power to allow modification by 260 + Admin-only users: 261 + 262 + * <p><b>Harmless</b>: Admin-only users on a repository may well 263 + have checkin rights on the repository, so the fact that 264 + versionable settings like `crlf-glob` can also be set at the 265 + repository level seems like a thing we might want to allow 266 + Admin-only users the ability to change. Since Fossil currently 267 + has no way to allow only some settings to be changed by 268 + Admin-only users and some not, we can't just show these harmless 269 + settings to Admin-only users.</p> 270 + 271 + * <p><b>Low-Risk</b>: The <tt>admin-log</tt> setting controls 272 + whether the Fossil admin log is generated. Since we've <a 273 + href="#log">already decided</a> that Admin-only users can see 274 + this log, it seems fine that the Admin users can choose whether 275 + this log gets generated in the first place.</p> 276 + 277 + <p>There's a small risk that a rogue Admin user could disable 278 + the log before doing something evil that the log would capture, 279 + so ideally, we'd want to restrict changing this setting from 1 280 + to 0 to Setup only while allowing Admin-only users to change it 281 + from 0 to 1. Fossil doesn't currently allow that.</p> 282 + 283 + * <p><b>Risky</b>: The <tt>https-login</tt> setting falls under 284 + the "Security" section above, but it should probably never be 285 + adjusted by Admin-only users. Sites that want it on will never 286 + want it to be disabled without a very good reason.</p> 287 + 288 + <p>There is also an inverse risk: if the site has a front-end 289 + HTTPS proxy that uses HTTP to communicate over localhost to 290 + Fossil, enabling this setting will create an infinite redirect 291 + loop! (Ask me how I know.)</p> 292 + 293 + * <p><b>Dangerous</b>: The <tt>email-send-command</tt> setting 294 + could allow a rogue Admin to run arbitrary commands on the host 295 + system, unless it's prevented via some kind of host-specific 296 + restriction. (chroot, jails, SELinux, VMs, etc.) Since it makes 297 + no sense to trust Admin-only users with <tt>root</tt> level 298 + access on the host system, we almost certainly don't want to 299 + allow them to change such settings.</p> 300 + 301 +* **SQL**: The Admin → SQL feature allows the Setup user to enter raw 302 + SQL queries against the Fossil repository via Fossil UI. This not 303 + only allows arbitrary ability to modify the repository blockchain 304 + and its backing data tables, it can probably also be used to damage 305 + the host such as via `PRAGMA temp_store = FILE`. 306 + 307 +* **TH1**: The [TH1 language][TH1] is quite restricted relative to 308 + Tcl, so this author does not believe there is a way to damage the 309 + Fossil repository or its host via this feature. Nevertheless, 310 + interpreters are a well-known source of security problems, so it 311 + seems best to restrict this to Setup users only until we have a good 312 + reason why Admin-only users should also have access to it. 313 + 236 314 237 315 [fcp]: https://fossil-scm.org/fossil/help?cmd=configuration 238 316 [forum]: https://fossil-scm.org/forum/ 317 +[rs]: https://www.fossil-scm.org/index.html/doc/trunk/www/settings.wiki 239 318 [sia]: https://fossil-scm.org/fossil/artifact?udc=1&ln=1259-1260&name=0fda31b6683c206a 319 +[th1]: https://www.fossil-scm.org/index.html/doc/trunk/www/th1.md 240 320 [tt]: https://en.wikipedia.org/wiki/Tiger_team#Security 241 321 [ucap]: https://fossil-scm.org/fossil/setup_ucap_list