Re: [rt-users] urgent: disable search for new watchers
Hi Kenn, I might not understand your concept. What does such a view look like? Our customner wants to check anytime which tickets are new, open and resolved which I thought is the quickest via browsing the RT. Of course I am happy to get more infomation about your views, but to be honest, in my opinion RT should offer me that requirement. Regards Violetta Ken Crocker schrieb: Violetta, I just thought of an idea, but it would require a bit of work. Why not try create some views that have only the info you want these user to see and then remove them from RT. They can still get to the RT info thru the views, which SHOULD suffice, since they are gonna be creating searchs and reports. I'm not sure how your infrastructure is where you work, but we have many users that do NOT access RT, but create their own SQL reports all the time thru the views. We're on Orcale, but I'm sure the same concept is doable with other DB's. I even have some SQL that I use to create the views. I'd be MORE than happy to send it to you and you can modify the info as per your needs. They even have comments, which you can't get to in RT Query. Just a thought. Kenn LBNL -- Vorstand/Board of Management: Dr. Bernd Finkbeiner, Dr. Roland Niemeier, Dr. Arno Steitz, Dr. Ingrid Zech Vorsitzender des Aufsichtsrats/ Chairman of the Supervisory Board: Michel Lepert Sitz/Registered Office: Tuebingen Registergericht/Registration Court: Stuttgart Registernummer/Commercial Register No.: HRB 382196 ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] urgent: disable search for new watchers
Violetta, In Oracle (and I assume other DB's) a View is a way to allow users to See specific data on a database without allowing them to See it all nor to change the data. It is Realtime. By using SQL, I create a VIEW to RT Data. Meaning, a psuedo-table.LEt's say I have 3 fields from table 1, 2 fields from table 2, 8 fields from table 3 that I want some users to see. I do NOT want them to see other information, nor do I want these users to be able to modify any of the table data. So, I create a view of these fields from the various tables and it is accessed much like one would access a table in a DataBase. Hence the term View. Your DBA could tell you if your environment has such a thing. IF so, they can tell you how to create it. It is ALWAYS accessible (via userid and password) as long as the DataBase is up and the dat is NOT loaded, it is filetered so to speak. Think of it as a WINDOW to the DataBase. You can't see it all, you can only see what is specified. Hope this helps. Kenn LBNL On 6/22/2009 2:03 AM, Violetta J. Wawryk wrote: Hi Kenn, I might not understand your concept. What does such a view look like? Our customner wants to check anytime which tickets are new, open and resolved which I thought is the quickest via browsing the RT. Of course I am happy to get more infomation about your views, but to be honest, in my opinion RT should offer me that requirement. Regards Violetta Ken Crocker schrieb: Violetta, I just thought of an idea, but it would require a bit of work. Why not try create some views that have only the info you want these user to see and then remove them from RT. They can still get to the RT info thru the views, which SHOULD suffice, since they are gonna be creating searchs and reports. I'm not sure how your infrastructure is where you work, but we have many users that do NOT access RT, but create their own SQL reports all the time thru the views. We're on Orcale, but I'm sure the same concept is doable with other DB's. I even have some SQL that I use to create the views. I'd be MORE than happy to send it to you and you can modify the info as per your needs. They even have comments, which you can't get to in RT Query. Just a thought. Kenn LBNL ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] urgent: disable search for new watchers
Hello, yes I have to make him priviledged because he is a kind of controll instance who has to see what orders (a ticket is a order) have been made. Thanks to all who answered. I cannot believe that noone ever thought of this as a security bug. @Kevin: no I did not grant ShowConfigTab to anyone, to be honest I didn't even know that this one existed. Email addresses themselves are considered valuable data by some people. In this particular case, it might also reveal customer contacts (which could be abused for various purposes, not just sending spam). @Florian: yes, you are absolutly right. Since a collegue found another security issue, can anyone tell me an emailadress where to send security issues that should definitly not be public? Thanks in advance Violetta Raed El-Hames schrieb: Violetta; You also made these people privileged (Let this user be granted rights is ticked), the question is do you want them to be privileged, if these are your customers then you should untick this and force them into the restricted SelfService, if you have to have them privileged then by default they will see the peoples tab, and to restrict that you will need to add extra code in few places. Regards; Roy Violetta J. Wawryk wrote: Hi, RT is 3.6.1 on a debian system we just found out that in the people section everyone who can login can search for people. So a person who has the following rights: CreateTicket ReplyToTicket SeeQueue ShowTicket can go to the people section and do a search like: userid doesn't contain xyz he gets all the users of the RT. Since this is a security issue, is there anything that I can do to prevent these searches? It might be disabled in a newer version, if so which would that be? A quick search on the list didn't give me an answer, therefore I have to ask this. Sorry if it's been on the list before. Quick help is really appreciated, thanks in advance Regards Violetta -- creating IT solutions Violetta J. Wawryk science + computing ag IT-Service Hagellocher Weg 73 phone +49 7071 9457 282 72070 Tuebingen, Germany fax +49 7071 9457 211 www.science-computing.de -- Vorstand/Board of Management: Dr. Bernd Finkbeiner, Dr. Roland Niemeier, Dr. Arno Steitz, Dr. Ingrid Zech Vorsitzender des Aufsichtsrats/ Chairman of the Supervisory Board: Michel Lepert Sitz/Registered Office: Tuebingen Registergericht/Registration Court: Stuttgart Registernummer/Commercial Register No.: HRB 382196 ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] urgent: disable search for new watchers
Violetta, I just thought of an idea, but it would require a bit of work. Why not try create some views that have only the info you want these user to see and then remove them from RT. They can still get to the RT info thru the views, which SHOULD suffice, since they are gonna be creating searchs and reports. I'm not sure how your infrastructure is where you work, but we have many users that do NOT access RT, but create their own SQL reports all the time thru the views. We're on Orcale, but I'm sure the same concept is doable with other DB's. I even have some SQL that I use to create the views. I'd be MORE than happy to send it to you and you can modify the info as per your needs. They even have comments, which you can't get to in RT Query. Just a thought. Kenn LBNL On 6/19/2009 1:22 AM, Violetta J. Wawryk wrote: Hello, yes I have to make him priviledged because he is a kind of controll instance who has to see what orders (a ticket is a order) have been made. Thanks to all who answered. I cannot believe that noone ever thought of this as a security bug. @Kevin: no I did not grant ShowConfigTab to anyone, to be honest I didn't even know that this one existed. Email addresses themselves are considered valuable data by some people. In this particular case, it might also reveal customer contacts (which could be abused for various purposes, not just sending spam). @Florian: yes, you are absolutly right. Since a collegue found another security issue, can anyone tell me an emailadress where to send security issues that should definitly not be public? Thanks in advance Violetta Raed El-Hames schrieb: Violetta; You also made these people privileged (Let this user be granted rights is ticked), the question is do you want them to be privileged, if these are your customers then you should untick this and force them into the restricted SelfService, if you have to have them privileged then by default they will see the peoples tab, and to restrict that you will need to add extra code in few places. Regards; Roy Violetta J. Wawryk wrote: Hi, RT is 3.6.1 on a debian system we just found out that in the people section everyone who can login can search for people. So a person who has the following rights: CreateTicket ReplyToTicket SeeQueue ShowTicket can go to the people section and do a search like: userid doesn't contain xyz he gets all the users of the RT. Since this is a security issue, is there anything that I can do to prevent these searches? It might be disabled in a newer version, if so which would that be? A quick search on the list didn't give me an answer, therefore I have to ask this. Sorry if it's been on the list before. Quick help is really appreciated, thanks in advance Regards Violetta ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] urgent: disable search for new watchers
Oh, that user search. I thought we were allowing access to the user administration section Thank you for a clearer bug report Raed As Jesse said, the full UI is meant for staff, which explains the ability to see other users. It isn't clear to me how people would want this fixed, since removing the ability to search pretty much dooms people to typing in email addresses incorrectly Agree , I think it was down to wrong implementation as I and Jesse explained in an earlier posts. Regards; Roy ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] urgent: disable search for new watchers
On Thu, Jun 18, 2009 at 11:27, Ken Crockerkfcroc...@lbl.gov wrote: Why is it a security issue? If your privileges are allowing them to go to a user Preferences, then I understand, but to just know what UserIds are on the system doesn't seem like a big deal to me. It gives them in a edge into trying to crack other accounts, because they then already have half the authentication pair. On the other hand, they can already determine the name of a privileged user by looking at who owns their ticket or otherwise converse with them via RT. -- Cambridge Energy Alliance: Save money. Save the planet. ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] urgent: disable search for new watchers
Jerrad, Yes, but you can keep them out of other accounts by removing so many global privileges and making them Queue-level privileges. That way, no one can get into a Queue unless specifically allowed to by privileges. Kenn LBNL On 6/18/2009 8:31 AM, Jerrad Pierce wrote: On Thu, Jun 18, 2009 at 11:27, Ken Crockerkfcroc...@lbl.gov wrote: Why is it a security issue? If your privileges are allowing them to go to a user Preferences, then I understand, but to just know what UserIds are on the system doesn't seem like a big deal to me. It gives them in a edge into trying to crack other accounts, because they then already have half the authentication pair. On the other hand, they can already determine the name of a privileged user by looking at who owns their ticket or otherwise converse with them via RT. ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] urgent: disable search for new watchers
Yes, but you can keep them out of other accounts by removing so many global privileges and making them Queue-level privileges. That way, no one can get into a Queue unless specifically allowed to by privileges. I think you missed the crack part. If I can get a list of usernames on a system, it's that much easier to run a dictionary attack against. So joeblow sees that admin1 is a valid account, starts guessing passwords and eventually ends up logged in as admin1. Farfetched, and not the most probable scenario/target(RT), but possible. -- Cambridge Energy Alliance: Save money. Save the planet. ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] urgent: disable search for new watchers
Violetta; You also made these people privileged (Let this user be granted rights is ticked), the question is do you want them to be privileged, if these are your customers then you should untick this and force them into the restricted SelfService, if you have to have them privileged then by default they will see the peoples tab, and to restrict that you will need to add extra code in few places. Regards; Roy Violetta J. Wawryk wrote: Hi, RT is 3.6.1 on a debian system we just found out that in the people section everyone who can login can search for people. So a person who has the following rights: CreateTicket ReplyToTicket SeeQueue ShowTicket can go to the people section and do a search like: userid doesn't contain xyz he gets all the users of the RT. Since this is a security issue, is there anything that I can do to prevent these searches? It might be disabled in a newer version, if so which would that be? A quick search on the list didn't give me an answer, therefore I have to ask this. Sorry if it's been on the list before. Quick help is really appreciated, thanks in advance Regards Violetta ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: sa...@bestpractical.com Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com