[
https://issues.apache.org/jira/browse/GUACAMOLE-507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16364685#comment-16364685
]
Michael Jumper commented on GUACAMOLE-507:
------------------------------------------
{quote}
I create a standard user "test" by cloning the default admin account
"guacadmin". Then i just check box "change own password" nothing more, all
other boxes are blank !
{quote}
When you clone a user, all permissions granted to the original user are copied
over. The boxes are not blank - the same boxes which are checked for the admin
user are checked for the cloned user. Unless explicitly unchecked, your new
user will have the same permissions. If you want to create a user with limited
privileges, cloning a user with unlimited privileges is not a good way to go
about this. Just create the new user without cloning.
{quote}
While on Users tab, i cannot modified my own user profile (access denied) on
connections tab i can modified OR delete existings connections ?!
{quote}
Users generally cannot edit their own permissions. A user either has
system-level admin permission (and thus implicitly has all permissions) or must
be granted permissions on a case-by-case basis by another user who has
permission to do so.
{quote}
Worth to check that and confirm there's a security issue relating to cloning
account vs creating new account ?
{quote}
Thankfully, this is not a security issue. If you believe you have found an
issue with security implications *do not post the issue to JIRA*, as doing so
immediately discloses the issue publicly. Follow responsible disclosure
practices and email the project privately at priv...@guacamole.apache.org
instead. See:
http://guacamole.apache.org/faq/#security
> Allow "change own password" for user account allow to modify / delete
> existing connections
> ------------------------------------------------------------------------------------------
>
> Key: GUACAMOLE-507
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-507
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole
> Affects Versions: 1.0.0
> Environment: Ubuntu server 16.04.3, guacamole git version client and
> server
> Reporter: emma
> Priority: Blocker
> Attachments: Test_changeOwnPassword_usertab_v1.0.0.png,
> Test_changeOwnPassword_v1.0.0.png
>
>
> Testing last guacamole-client AND guacamole-server git version with TOTP
> extensions ON and mysql database :
> Allow "change own password" for user account allow to modify / delete
> existing connections
> I create a standard user "test" by cloning the default admin account
> "guacadmin". Then i just check box "change own password" nothing more, all
> other boxes are blank !
> Then i connect through Guacamole with that new user "test" and try to change
> my password then i realized i was able to see Users and Connections tabs and
> access them !
> While on Users tab, i cannot modified my own user profile (access denied) on
> connections tab i can modified OR delete existings connections ?!
> Then i retry with a new user created WITHOUT a clone of "guacadmin" default
> account, and this time it's seems to work as expected !
> Worth to check that and confirm there's a security issue relating to cloning
> account vs creating new account ?
> Thank you !
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
