Mercurial > p > roundup > code
diff doc/admin_guide.txt @ 7093:f72ce883e677
Mitigation for issue2551246 -u opton to roundup-admin
The -u option ignores the password and doesn't limit access to the
data.
Not a huge issue as currently anybody running it must have read access
to the tracker home and all the credentials. So they can change the
data directly using a db client or read anything they want.
But this wasn't documented. Now it is.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Wed, 30 Nov 2022 02:09:16 -0500 |
| parents | 9ff091537f43 |
| children | 98d7936d97a3 |
line wrap: on
line diff
--- a/doc/admin_guide.txt Wed Nov 30 00:01:48 2022 -0500 +++ b/doc/admin_guide.txt Wed Nov 30 02:09:16 2022 -0500 @@ -878,6 +878,22 @@ Run ``roundup-admin help commands`` for a complete list of subcommands. +One thing to note, The ``-u user`` setting does not currently operate +like a user logging in via the web. The user running roundup-admin +must have read access to the tracker home directory. As a result the +user has access to the files and the database info contained in +config.ini. + +Using ``-u user`` sets the actor/user parameter in the +journal. Changes that are made are attributed to that +user. The password is ignored if provided. Any existing +username has full access to the data just like the admin +user. This is an area for further development so that +roundup-admin could be used with sudo to provide secure +command line access to a tracker. + +In general you should forget that there is a -u parameter. + .. _`customisation documentation`: customizing.html .. _`upgrading documentation`: upgrading.html .. _`installation documentation`: installation.html