user with run only privilege can do more with shell plugins
oliviermollier opened this issue · 8 comments
Summary
When you create a user that can only run job, I notice that he can still edit. When you save it say you are not allowed to save but you can still change the content of the script and click run
Steps to reproduce the problem
create a user called runner.
connect with him. open an exisiting job, update the text ( do not save) but click run. Command is executed. it mean give user runjob, allow him to run everything he want
Your Setup
I have master cronicle installed in standard on one server and 10 workers on different server
Operating system and version?
CentOS Linux release 7.9.2009 (Core)
Node.js version?
Cronicle software version?
Version 0.9.53
node --version
v16.20.2
i updated a part of the code. i don't know if you want to reintegrate in standard or not but in case some people face the same security problem i shared my correction
with screenshot
with detail
This is "as designed" behavior. The run_events privilege allows the user or API key to modify any job parameters when the API call is sent in. This is how the system was designed.
If you want to lock this down, please upgrade your primary server to Cronicle v0.9.54, as I added a new optional user privilege called job_read_only.
Edit your /opt/cronicle/conf/config.json file and locate this section, inside the client object:
"privilege_list": [
{ "id": "admin", "title": "Administrator" },
{ "id": "create_events", "title": "Create Events" },
{ "id": "edit_events", "title": "Edit Events" },
{ "id": "delete_events", "title": "Delete Events" },
{ "id": "run_events", "title": "Run Events" },
{ "id": "abort_events", "title": "Abort Events" },
{ "id": "state_update", "title": "Toggle Scheduler" }
],Add a new privilege with the ID job_read_only and title "Job Read Only":
"privilege_list": [
{ "id": "admin", "title": "Administrator" },
{ "id": "create_events", "title": "Create Events" },
{ "id": "edit_events", "title": "Edit Events" },
{ "id": "delete_events", "title": "Delete Events" },
{ "id": "run_events", "title": "Run Events" },
{ "id": "abort_events", "title": "Abort Events" },
{ "id": "state_update", "title": "Toggle Scheduler" },
{ "id": "job_read_only", "title": "Job Read Only" }
],Then restart your server, and edit your underprivileged user or API key, and check the new "Job Read Only" privilege checkbox, then save the user or API key. They should also have the "Run Events" privilege checked, of course.
That user will now only be able to run events straight from the schedule, without any customization. Any other params sent in will be stripped (ignored).
Hello, thx a lot for your reactivity anyway i upgraded to the version you publish and it seems it's doesn't work as you describe ( or maybe i didn't understand correctly)
I updated user as you described:
The i connect with API and click on edit
i can still change parameter to replace TEST_LAUNCH by something else.
Did i do something bad? or miss understood you?
When you actually run the job, the parameter overrides (changes) will be ignored.
Effectively, the user with the "Job Read Only" privilege cannot customize the parameters on the run_event API call. Any customizations passed in are ignored.
There are no changes to the UI. The only changes are inside the run_event API call itself.
yes i understood my change are possible but no take in account but :
please see my test :
i create a basic job just call "ls"
executed as admin it do ls
i connect to api ( read only user) and change the command by "df". it's suppose to let me change to "df" but still call "ls", right?
as the result it call df
did i miss something in your explanation?
Oh lord, I'm SO SORRY, there was a typo in my implementation. I was trying to go too fast, and I didn't test it properly. Huge apologies.
I just pushed a brand new release. Please upgrade your primary server to Cronicle v0.9.55 and try your test again. It should work now.
Sorry!
Hello, no worry, and i confirm it's work perfect now !!
thx a lot