Skip to content

Security Bug with client api #1694

Open
Open
Security Bug with client api#1694
@MagicRedDeer

Description

@MagicRedDeer
MagicRedDeer
opened on Nov 23, 2021

Describe the bug

When a client connects to a tactic server using an api such as the tactic_client_lib python api. There is no security for 'admin' and/or 'sthpw' projects.

For e.g. any user who can login to the tactic server without any credentials can query, insert and update sthpw/ticket, sthpw/login, and sthpw/login_in_groups and all other tables, many of which are sensitive to security.

The discussion for this bug has been initiated here

To Reproduce
Steps to reproduce the behavior:

  1. Login using the python api tactic_client_lib
  2. Initiate a query to a sensitive table such as sthpw/ticket or sthpw/login
  3. You will be able to view all information, use it or write back to it, including tickets and hashed passwords.

Expected behavior

The intended behavior of security for tactic_client_lib should be a matter of analysis and debate. But the following can be proposed.

  1. Security should be applied in a manner which has the same effect that is expected on the web interface.
  2. Users should be able to know which projects they have permissions on.
  3. Users should be able to query from entries of the sthpw tables from inside the projects where they have access according to the rules defined.
  4. Users should not be able to change their own security information except those with appropriate access levels.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions