Fossil SCM
Added the "Setup-Only Features" section to admin-v-setup.md.
Commit
8ec908d1a06ffc4020b8212feda5727d50a00a4c2d582864b2925ace9b0843fe
Parent
969380a56205346…
1 file changed
+80
+80
| --- www/admin-v-setup.md | ||
| +++ www/admin-v-setup.md | ||
| @@ -231,11 +231,91 @@ | ||
| 231 | 231 | Fossil repositories. In this way, a Setup user can create multiple |
| 232 | 232 | interchangeable clones. This is useful not only to guard against rogue |
| 233 | 233 | Admin-only users, it is a useful element of a load balancing and |
| 234 | 234 | failover system. |
| 235 | 235 | |
| 236 | + | |
| 237 | +## Setup-Only Features | |
| 238 | + | |
| 239 | +Some features are now and must always be restricted to Setup users only. | |
| 240 | + | |
| 241 | +* **Configuration**: The Admin → Configuration page nominally falls | |
| 242 | + under Cosmetics above, but it's such a core part of the Fossil | |
| 243 | + configuration — something every Setup user is expected to fully | |
| 244 | + specify on initial repository setup — that we have trouble | |
| 245 | + justifying any case where an Admin-only user would have good cause | |
| 246 | + to modify any of it. This page is generally set up once and then | |
| 247 | + never touched again. | |
| 248 | + | |
| 249 | +* **Access**: The Admin → Access page falls under the Security | |
| 250 | + category above, but like Configuration, it's generally something set | |
| 251 | + up once and never touched, so only Setup users should change it. | |
| 252 | + | |
| 253 | +* **Login-Group**: Login groups allow one Fossil repository to | |
| 254 | + delegate user access to another. Since an Admin-only user on one | |
| 255 | + repo might not have such access to another repo on the same host | |
| 256 | + system, this must be a Setup-only task. | |
| 257 | + | |
| 258 | +* **Settings**: The [repository settings][rs] available via Admin → | |
| 259 | + Settings have too wide a range of power to allow modification by | |
| 260 | + Admin-only users: | |
| 261 | + | |
| 262 | + * <p><b>Harmless</b>: Admin-only users on a repository may well | |
| 263 | + have checkin rights on the repository, so the fact that | |
| 264 | + versionable settings like `crlf-glob` can also be set at the | |
| 265 | + repository level seems like a thing we might want to allow | |
| 266 | + Admin-only users the ability to change. Since Fossil currently | |
| 267 | + has no way to allow only some settings to be changed by | |
| 268 | + Admin-only users and some not, we can't just show these harmless | |
| 269 | + settings to Admin-only users.</p> | |
| 270 | + | |
| 271 | + * <p><b>Low-Risk</b>: The <tt>admin-log</tt> setting controls | |
| 272 | + whether the Fossil admin log is generated. Since we've <a | |
| 273 | + href="#log">already decided</a> that Admin-only users can see | |
| 274 | + this log, it seems fine that the Admin users can choose whether | |
| 275 | + this log gets generated in the first place.</p> | |
| 276 | + | |
| 277 | + <p>There's a small risk that a rogue Admin user could disable | |
| 278 | + the log before doing something evil that the log would capture, | |
| 279 | + so ideally, we'd want to restrict changing this setting from 1 | |
| 280 | + to 0 to Setup only while allowing Admin-only users to change it | |
| 281 | + from 0 to 1. Fossil doesn't currently allow that.</p> | |
| 282 | + | |
| 283 | + * <p><b>Risky</b>: The <tt>https-login</tt> setting falls under | |
| 284 | + the "Security" section above, but it should probably never be | |
| 285 | + adjusted by Admin-only users. Sites that want it on will never | |
| 286 | + want it to be disabled without a very good reason.</p> | |
| 287 | + | |
| 288 | + <p>There is also an inverse risk: if the site has a front-end | |
| 289 | + HTTPS proxy that uses HTTP to communicate over localhost to | |
| 290 | + Fossil, enabling this setting will create an infinite redirect | |
| 291 | + loop! (Ask me how I know.)</p> | |
| 292 | + | |
| 293 | + * <p><b>Dangerous</b>: The <tt>email-send-command</tt> setting | |
| 294 | + could allow a rogue Admin to run arbitrary commands on the host | |
| 295 | + system, unless it's prevented via some kind of host-specific | |
| 296 | + restriction. (chroot, jails, SELinux, VMs, etc.) Since it makes | |
| 297 | + no sense to trust Admin-only users with <tt>root</tt> level | |
| 298 | + access on the host system, we almost certainly don't want to | |
| 299 | + allow them to change such settings.</p> | |
| 300 | + | |
| 301 | +* **SQL**: The Admin → SQL feature allows the Setup user to enter raw | |
| 302 | + SQL queries against the Fossil repository via Fossil UI. This not | |
| 303 | + only allows arbitrary ability to modify the repository blockchain | |
| 304 | + and its backing data tables, it can probably also be used to damage | |
| 305 | + the host such as via `PRAGMA temp_store = FILE`. | |
| 306 | + | |
| 307 | +* **TH1**: The [TH1 language][TH1] is quite restricted relative to | |
| 308 | + Tcl, so this author does not believe there is a way to damage the | |
| 309 | + Fossil repository or its host via this feature. Nevertheless, | |
| 310 | + interpreters are a well-known source of security problems, so it | |
| 311 | + seems best to restrict this to Setup users only until we have a good | |
| 312 | + reason why Admin-only users should also have access to it. | |
| 313 | + | |
| 236 | 314 | |
| 237 | 315 | [fcp]: https://fossil-scm.org/fossil/help?cmd=configuration |
| 238 | 316 | [forum]: https://fossil-scm.org/forum/ |
| 317 | +[rs]: https://www.fossil-scm.org/index.html/doc/trunk/www/settings.wiki | |
| 239 | 318 | [sia]: https://fossil-scm.org/fossil/artifact?udc=1&ln=1259-1260&name=0fda31b6683c206a |
| 319 | +[th1]: https://www.fossil-scm.org/index.html/doc/trunk/www/th1.md | |
| 240 | 320 | [tt]: https://en.wikipedia.org/wiki/Tiger_team#Security |
| 241 | 321 | [ucap]: https://fossil-scm.org/fossil/setup_ucap_list |
| 242 | 322 |
| --- www/admin-v-setup.md | |
| +++ www/admin-v-setup.md | |
| @@ -231,11 +231,91 @@ | |
| 231 | Fossil repositories. In this way, a Setup user can create multiple |
| 232 | interchangeable clones. This is useful not only to guard against rogue |
| 233 | Admin-only users, it is a useful element of a load balancing and |
| 234 | failover system. |
| 235 | |
| 236 | |
| 237 | [fcp]: https://fossil-scm.org/fossil/help?cmd=configuration |
| 238 | [forum]: https://fossil-scm.org/forum/ |
| 239 | [sia]: https://fossil-scm.org/fossil/artifact?udc=1&ln=1259-1260&name=0fda31b6683c206a |
| 240 | [tt]: https://en.wikipedia.org/wiki/Tiger_team#Security |
| 241 | [ucap]: https://fossil-scm.org/fossil/setup_ucap_list |
| 242 |
| --- www/admin-v-setup.md | |
| +++ www/admin-v-setup.md | |
| @@ -231,11 +231,91 @@ | |
| 231 | Fossil repositories. In this way, a Setup user can create multiple |
| 232 | interchangeable clones. This is useful not only to guard against rogue |
| 233 | Admin-only users, it is a useful element of a load balancing and |
| 234 | failover system. |
| 235 | |
| 236 | |
| 237 | ## Setup-Only Features |
| 238 | |
| 239 | Some features are now and must always be restricted to Setup users only. |
| 240 | |
| 241 | * **Configuration**: The Admin → Configuration page nominally falls |
| 242 | under Cosmetics above, but it's such a core part of the Fossil |
| 243 | configuration — something every Setup user is expected to fully |
| 244 | specify on initial repository setup — that we have trouble |
| 245 | justifying any case where an Admin-only user would have good cause |
| 246 | to modify any of it. This page is generally set up once and then |
| 247 | never touched again. |
| 248 | |
| 249 | * **Access**: The Admin → Access page falls under the Security |
| 250 | category above, but like Configuration, it's generally something set |
| 251 | up once and never touched, so only Setup users should change it. |
| 252 | |
| 253 | * **Login-Group**: Login groups allow one Fossil repository to |
| 254 | delegate user access to another. Since an Admin-only user on one |
| 255 | repo might not have such access to another repo on the same host |
| 256 | system, this must be a Setup-only task. |
| 257 | |
| 258 | * **Settings**: The [repository settings][rs] available via Admin → |
| 259 | Settings have too wide a range of power to allow modification by |
| 260 | Admin-only users: |
| 261 | |
| 262 | * <p><b>Harmless</b>: Admin-only users on a repository may well |
| 263 | have checkin rights on the repository, so the fact that |
| 264 | versionable settings like `crlf-glob` can also be set at the |
| 265 | repository level seems like a thing we might want to allow |
| 266 | Admin-only users the ability to change. Since Fossil currently |
| 267 | has no way to allow only some settings to be changed by |
| 268 | Admin-only users and some not, we can't just show these harmless |
| 269 | settings to Admin-only users.</p> |
| 270 | |
| 271 | * <p><b>Low-Risk</b>: The <tt>admin-log</tt> setting controls |
| 272 | whether the Fossil admin log is generated. Since we've <a |
| 273 | href="#log">already decided</a> that Admin-only users can see |
| 274 | this log, it seems fine that the Admin users can choose whether |
| 275 | this log gets generated in the first place.</p> |
| 276 | |
| 277 | <p>There's a small risk that a rogue Admin user could disable |
| 278 | the log before doing something evil that the log would capture, |
| 279 | so ideally, we'd want to restrict changing this setting from 1 |
| 280 | to 0 to Setup only while allowing Admin-only users to change it |
| 281 | from 0 to 1. Fossil doesn't currently allow that.</p> |
| 282 | |
| 283 | * <p><b>Risky</b>: The <tt>https-login</tt> setting falls under |
| 284 | the "Security" section above, but it should probably never be |
| 285 | adjusted by Admin-only users. Sites that want it on will never |
| 286 | want it to be disabled without a very good reason.</p> |
| 287 | |
| 288 | <p>There is also an inverse risk: if the site has a front-end |
| 289 | HTTPS proxy that uses HTTP to communicate over localhost to |
| 290 | Fossil, enabling this setting will create an infinite redirect |
| 291 | loop! (Ask me how I know.)</p> |
| 292 | |
| 293 | * <p><b>Dangerous</b>: The <tt>email-send-command</tt> setting |
| 294 | could allow a rogue Admin to run arbitrary commands on the host |
| 295 | system, unless it's prevented via some kind of host-specific |
| 296 | restriction. (chroot, jails, SELinux, VMs, etc.) Since it makes |
| 297 | no sense to trust Admin-only users with <tt>root</tt> level |
| 298 | access on the host system, we almost certainly don't want to |
| 299 | allow them to change such settings.</p> |
| 300 | |
| 301 | * **SQL**: The Admin → SQL feature allows the Setup user to enter raw |
| 302 | SQL queries against the Fossil repository via Fossil UI. This not |
| 303 | only allows arbitrary ability to modify the repository blockchain |
| 304 | and its backing data tables, it can probably also be used to damage |
| 305 | the host such as via `PRAGMA temp_store = FILE`. |
| 306 | |
| 307 | * **TH1**: The [TH1 language][TH1] is quite restricted relative to |
| 308 | Tcl, so this author does not believe there is a way to damage the |
| 309 | Fossil repository or its host via this feature. Nevertheless, |
| 310 | interpreters are a well-known source of security problems, so it |
| 311 | seems best to restrict this to Setup users only until we have a good |
| 312 | reason why Admin-only users should also have access to it. |
| 313 | |
| 314 | |
| 315 | [fcp]: https://fossil-scm.org/fossil/help?cmd=configuration |
| 316 | [forum]: https://fossil-scm.org/forum/ |
| 317 | [rs]: https://www.fossil-scm.org/index.html/doc/trunk/www/settings.wiki |
| 318 | [sia]: https://fossil-scm.org/fossil/artifact?udc=1&ln=1259-1260&name=0fda31b6683c206a |
| 319 | [th1]: https://www.fossil-scm.org/index.html/doc/trunk/www/th1.md |
| 320 | [tt]: https://en.wikipedia.org/wiki/Tiger_team#Security |
| 321 | [ucap]: https://fossil-scm.org/fossil/setup_ucap_list |
| 322 |