Mercurial > p > roundup > code
comparison doc/user_guide.txt @ 7093:f72ce883e677
Mitigation for issue2551246 -u opton to roundup-admin
The -u option ignores the password and doesn't limit access to the
data.
Not a huge issue as currently anybody running it must have read access
to the tracker home and all the credentials. So they can change the
data directly using a db client or read anything they want.
But this wasn't documented. Now it is.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Wed, 30 Nov 2022 02:09:16 -0500 |
| parents | f0d39308819f |
| children | 86862ed039fa |
comparison
equal
deleted
inserted
replaced
| 7089:4d7977d51a4e | 7093:f72ce883e677 |
|---|---|
| 848 - the "``-u``" command-line option | 848 - the "``-u``" command-line option |
| 849 | 849 |
| 850 If either the name or password is not supplied, they are obtained from | 850 If either the name or password is not supplied, they are obtained from |
| 851 the command-line. | 851 the command-line. |
| 852 | 852 |
| 853 The ``-u user`` setting does not currently operate like a | |
| 854 user logging in via the web. The user running roundup-admin | |
| 855 must have read access to the tracker home directory. As a | |
| 856 result the user has access to the files and the database | |
| 857 info contained in config.ini. | |
| 858 | |
| 859 Using ``-u user`` sets the actor/user parameter in the | |
| 860 journal. Changes that are made are attributed to that | |
| 861 user. The password is ignored if provided. Any existing | |
| 862 username has full access to the data just like the admin | |
| 863 user. This is an area for further development so that | |
| 864 roundup-admin could be used with sudo to provide secure | |
| 865 command line access to a tracker. | |
| 866 | |
| 853 When you initialise a new tracker instance you are prompted for the | 867 When you initialise a new tracker instance you are prompted for the |
| 854 admin password. If you want to initialise a tracker non-interactively | 868 admin password. If you want to initialise a tracker non-interactively |
| 855 you can put the initialise command and password on the command | 869 you can put the initialise command and password on the command |
| 856 line. But this allows others on the host to see the password (using | 870 line. But this allows others on the host to see the password (using |
| 857 the ps command). To initialise a tracker non-interactively without | 871 the ps command). To initialise a tracker non-interactively without |