Hi Alex,
In data lunedì 11 marzo 2013 15:27:51, hai scritto:
> However, what I'm effectively doing if I give webaccess rights to
> someone is, that I promote him to superadmin, simply cause she could
>
> https://juser.fz-juelich.de/admin/webaccess/webaccessadmin.py/manageaccounts
> ?mtype=perform_modifyaccounts#4
>
> and here she is allowed to become /any/ user. Even a user with /more/
> rights then she actually had herself. Ie. every user that that has
> cfgwebaccess can effectively su - root.
>
> I wonder wether this is really intended... Looks like a backdoor.
Not really a back-door but a limitation in this sense. In the end, like on
UNIX systems, the person who can edit sudoers file can grant himself root
rights. I don’t see a quick workaround to this “feature” :-)
> What I'd like to enable is a su to users with less or equal rights e.g.
> for our helpdesk. This would allow them to check contents of some
> baskets or see some workflowish stuff exactly as the enduser does.
OK. That actually exist (you might have seen it in the Manage Accounts area in
the form of the “Become user” functionality. However it is indeed available
users authorized to “cfgwebaccess” as you have well remarked.
> But even though I really trust our helpdesk I'd like to avoid them to
> have a bunch of admin options that only cause confusion. This might
> happen by sheer chance as usernames are e-mail addresses and I just
> count what mails I get due to (near and excat) name dupes...
Indeed we might introduce more finer-grained tuning of this action so that
e.g. we might specially authorize the “Become user” action. However, how to
prevent authorized user to become admin? There is no intrinsic sorting of
privileges... any suggestion, anybody?
Cheers!
Samuele
--
Samuele Kaplun
Invenio Developer ** <http://invenio-software.org/>
