Mercurial > p > roundup > code
comparison doc/admin_guide.txt @ 7093:f72ce883e677
Mitigation for issue2551246 -u opton to roundup-admin
The -u option ignores the password and doesn't limit access to the
data.
Not a huge issue as currently anybody running it must have read access
to the tracker home and all the credentials. So they can change the
data directly using a db client or read anything they want.
But this wasn't documented. Now it is.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Wed, 30 Nov 2022 02:09:16 -0500 |
| parents | 9ff091537f43 |
| children | 98d7936d97a3 |
comparison
equal
deleted
inserted
replaced
| 7089:4d7977d51a4e | 7093:f72ce883e677 |
|---|---|
| 876 roundup-admin -i <tracker_dir> set designator[, designator,...] propname=value ... | 876 roundup-admin -i <tracker_dir> set designator[, designator,...] propname=value ... |
| 877 roundup-admin -i <tracker_dir> find [-list] classname propname=value ... | 877 roundup-admin -i <tracker_dir> find [-list] classname propname=value ... |
| 878 | 878 |
| 879 Run ``roundup-admin help commands`` for a complete list of subcommands. | 879 Run ``roundup-admin help commands`` for a complete list of subcommands. |
| 880 | 880 |
| 881 One thing to note, The ``-u user`` setting does not currently operate | |
| 882 like a user logging in via the web. The user running roundup-admin | |
| 883 must have read access to the tracker home directory. As a result the | |
| 884 user has access to the files and the database info contained in | |
| 885 config.ini. | |
| 886 | |
| 887 Using ``-u user`` sets the actor/user parameter in the | |
| 888 journal. Changes that are made are attributed to that | |
| 889 user. The password is ignored if provided. Any existing | |
| 890 username has full access to the data just like the admin | |
| 891 user. This is an area for further development so that | |
| 892 roundup-admin could be used with sudo to provide secure | |
| 893 command line access to a tracker. | |
| 894 | |
| 895 In general you should forget that there is a -u parameter. | |
| 896 | |
| 881 .. _`customisation documentation`: customizing.html | 897 .. _`customisation documentation`: customizing.html |
| 882 .. _`upgrading documentation`: upgrading.html | 898 .. _`upgrading documentation`: upgrading.html |
| 883 .. _`installation documentation`: installation.html | 899 .. _`installation documentation`: installation.html |