[opencms-dev] Security bug (or design flaw) with Account Manager role
John Weible
jweible at uiuc.edu
Fri Feb 22 20:35:45 CET 2008
As our OpenCms installation grows, we're now needing to delegate more
things to a broader set of staff. One of those things is we need to
enable some folks to do basic user management (specifically
adding/removing users from groups).
We're currently on 7.0.1. So I tried granting the "Account Manager"
role to a couple of our NON-ADMINISTRATOR users. This, as expected,
then allows them to add and remove groups for users. The system also
correctly figures out that since they are not themselves "Root
Administrators", they are disallowed from promoting accounts to be
Administrators.
The fatal flaw is that the system does NOT prevent them from changing
any Administrator's account password.
Is there some different way to configure the system to delegate this
ability without introducing such a compromise?
--
John Weible
Manager of IT Infrastructure & Software Development
University Libraries, University of Illinois at Urbana-Champaign
424 Library, MC-522, Urbana, IL 61801
217-244-6300
More information about the opencms-dev
mailing list