[opencms-dev] Security bug (or design flaw) with AccountManager role

Schliemann, Kai K.Schliemann at comundus.com
Mon Feb 25 10:10:42 CET 2008 

Hi Alex,
I would prefer
1) account managers must never change the password of an admin (to be
more specific "Admin" and "Root-Admin") AND no other data at all.

Account managers should only be able to change user data of users in the
same OU (this seems to be solved in 7.0.4) AND of users which have a
"lower" or the Account manager role.

Kind Regards,
Kai



Kind Regards,
Alex.
 
-------------------
Alexander Kandzior

Alkacon Software GmbH  - The OpenCms Experts                    
http://www.alkacon.com - http://www.opencms.org                 
                                                                
Visit us on CeBIT expo in Hannover, Germany                      
March 4 to March 9, 2008 - Hall 5 Stand F59/3                       

> -----Original Message-----
> From: opencms-dev-bounces at opencms.org 
> [mailto:opencms-dev-bounces at opencms.org] On Behalf Of Arash 
> Kaffamanesh
> Sent: Saturday, February 23, 2008 9:25 AM
> To: The OpenCms mailing list
> Subject: Re: [opencms-dev] Security bug (or design flaw) with Account 
> Manager role
> 
> hi,
> 
> this issue has been resolved in CVS Head as Michael Moossen wrote this

> week and will be available in OpenCms 7.0.4 in short.
> You have to upgrade to Head or wait for OpenCms 7.0.4.
> 
> Kind Regards,
> Arash
> 
> 
> John Weible schrieb:
> > As our OpenCms installation grows, we're now needing to
> delegate more
> > things to a broader set of staff.  One of those things is
> we need to
> > enable some folks to do basic user management (specifically 
> > adding/removing users from groups).
> >
> > We're currently on 7.0.1.  So I tried granting the "Account
> Manager" 
> > role to a couple of our NON-ADMINISTRATOR users.  This, as
> expected,
> > then allows them to add and remove groups for users.  The
> system also
> > correctly figures out that since they are not themselves "Root 
> > Administrators", they are disallowed from promoting accounts to be 
> > Administrators.
> >
> > The fatal flaw is that the system does NOT prevent them
> from changing
> > any Administrator's account password. 
> >
> > Is there some different way to configure the system to
> delegate this
> > ability without introducing such a compromise?
> >
> >   
> 
> 
> 
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list To change 
> your list options, or to unsubscribe from the list, please visit 
> http://lists.opencms.org/mailman/listinfo/opencms-dev
> 
> 


_______________________________________________
This mail is sent to you from the opencms-dev mailing list To change
your list options, or to unsubscribe from the list, please visit
http://lists.opencms.org/mailman/listinfo/opencms-dev

More information about the opencms-dev mailing list