Check-in [eadf2644e4]
Not logged in

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Assorted small improvements to admin-v-setup.md.
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256:eadf2644e4b469805b4e274257459af01b14dd3a601c62dcf4533b17d65f57c4
User & Date: wyoung 2018-12-01 06:17:28
Context
2018-12-01
06:19
Typo fix check-in: 572574d1a7 user: wyoung tags: trunk
06:17
Assorted small improvements to admin-v-setup.md. check-in: eadf2644e4 user: wyoung tags: trunk
05:49
The recent change that allows Admin-only users to edit the skin affected the setup.c side of things only: there were also several bits in skins.c that checked for g.perm.Setup, so an Admin-only user couldn't actually do anthing useful. check-in: 7b58c6fdde user: wyoung tags: trunk
Changes

Changes to www/admin-v-setup.md.

103
104
105
106
107
108
109

110
111


112
113
114
115
116
117
118
...
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
...
300
301
302
303
304
305
306
307
308
309


310
311
312


313
314
315
316
317
318
319
320
321
    of the Setup user: delete accounts created by spammers, fix email
    alert subscriptions, reset passwords, etc.

*   **Security audit**: The Admin → Security-Audit page runs several
    tests on the Fossil repository's configuration, then reports
    potential problems it found and offers canned solutions. Those
    canned solutions do not do anything that an Admin-user could not do

    via other means. For example, this page's "Take it Private" feature
    can also be done manually via Admin → Users.



*   **Logging**:<a id="log"></a> Admin-only users get to see the various
    Fossil logs in case they need to use them to understand a problem
    they're empowered to solve. An obvious example is a spam attack: the
    Admin might want to find the user's last-used IP, see if they cloned
    the repository, see if they attempted to brute-force an existing
    login before self-registering, etc.
................................................................................

    *   <p>[Email alerts](./alerts.md) and [backoffice](./backoffice.md)
        status. Admin-only users cannot modify the email alerts setup,
        but they can see some details about its configuration and
        current status.</p>

    *   <p>The `/urllist` page, which is a read-only page showing the
        ways the repository can be accessed and how it has been accessed in
        the past. Logically, this is an extension to logging, [covered
        below](#log).</p>

    *   <p>The Fossil repository SQL schema. This is not particularly
        sensitive information, since you get more or less the same
        information when you clone the repository. It's restricted to
        Admin because it's primarily useful in debugging SQL errors,
        which happen most often when Fossil itself is in flux and the
        schema isn't being automatically updated correctly. That puts
................................................................................

*   **SQL**: The Admin → SQL feature allows the Setup user to enter raw
    SQL queries against the Fossil repository via Fossil UI. This not
    only allows arbitrary ability to modify the repository blockchain
    and its backing data tables, it can probably also be used to damage
    the host such as via `PRAGMA temp_store = FILE`.

*   **TH1**: The [TH1 language][TH1] is quite restricted relative to
    Tcl, so this author does not believe there is a way to damage the
    Fossil repository or its host via this feature. Nevertheless,


    interpreters are a well-known source of security problems, so it
    seems best to restrict this to Setup users only until we have a good
    reason why Admin-only users should also have access to it.




[fcp]:   https://fossil-scm.org/fossil/help?cmd=configuration
[forum]: https://fossil-scm.org/forum/
[rs]:    https://www.fossil-scm.org/index.html/doc/trunk/www/settings.wiki
[sia]:   https://fossil-scm.org/fossil/artifact?udc=1&ln=1259-1260&name=0fda31b6683c206a
[th1]:   https://www.fossil-scm.org/index.html/doc/trunk/www/th1.md
[tt]:    https://en.wikipedia.org/wiki/Tiger_team#Security
[ucap]:  https://fossil-scm.org/fossil/setup_ucap_list







>
|
|
>
>







 







|
|
|







 







|
|
|
>
>
|
<
<
>
>









103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
...
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
...
303
304
305
306
307
308
309
310
311
312
313
314
315


316
317
318
319
320
321
322
323
324
325
326
    of the Setup user: delete accounts created by spammers, fix email
    alert subscriptions, reset passwords, etc.

*   **Security audit**: The Admin → Security-Audit page runs several
    tests on the Fossil repository's configuration, then reports
    potential problems it found and offers canned solutions. Those
    canned solutions do not do anything that an Admin-user could not do
    via other means, so this page offers the Admin-only user no more
    power than they otherwise had. For example, this page's "Take it
    Private" feature can also be done manually via Admin → Users. This
    page is a convenience, not a grant of new power to the Admin-only
    user.

*   **Logging**:<a id="log"></a> Admin-only users get to see the various
    Fossil logs in case they need to use them to understand a problem
    they're empowered to solve. An obvious example is a spam attack: the
    Admin might want to find the user's last-used IP, see if they cloned
    the repository, see if they attempted to brute-force an existing
    login before self-registering, etc.
................................................................................

    *   <p>[Email alerts](./alerts.md) and [backoffice](./backoffice.md)
        status. Admin-only users cannot modify the email alerts setup,
        but they can see some details about its configuration and
        current status.</p>

    *   <p>The `/urllist` page, which is a read-only page showing the
        ways the repository can be accessed and how it has been accessed
        in the past. Logically, this is an extension to logging,
        [covered above](#log).</p>

    *   <p>The Fossil repository SQL schema. This is not particularly
        sensitive information, since you get more or less the same
        information when you clone the repository. It's restricted to
        Admin because it's primarily useful in debugging SQL errors,
        which happen most often when Fossil itself is in flux and the
        schema isn't being automatically updated correctly. That puts
................................................................................

*   **SQL**: The Admin → SQL feature allows the Setup user to enter raw
    SQL queries against the Fossil repository via Fossil UI. This not
    only allows arbitrary ability to modify the repository blockchain
    and its backing data tables, it can probably also be used to damage
    the host such as via `PRAGMA temp_store = FILE`.

*   **TH1**: The [TH1 language][TH1] is quite restricted relative to the
    Tcl language it descends from, so this author does not believe there
    is a way to damage the Fossil repository or its host via the Admin →
    TH1 feature, which allows exeuction of arbitrary TH1 code within the
    repository's execution context. Nevertheless, interpreters are a
    well-known source of security problems, so it seems best to restrict


    this feature to Setup-only users as long as we lack a good reason
    for Admin-only users to have access to it.


[fcp]:   https://fossil-scm.org/fossil/help?cmd=configuration
[forum]: https://fossil-scm.org/forum/
[rs]:    https://www.fossil-scm.org/index.html/doc/trunk/www/settings.wiki
[sia]:   https://fossil-scm.org/fossil/artifact?udc=1&ln=1259-1260&name=0fda31b6683c206a
[th1]:   https://www.fossil-scm.org/index.html/doc/trunk/www/th1.md
[tt]:    https://en.wikipedia.org/wiki/Tiger_team#Security
[ucap]:  https://fossil-scm.org/fossil/setup_ucap_list