[jira] [Commented] (JCRVLT-427) Allow installation of packages with hook for users without admin privileges

Tue, 21 Apr 2020 23:43:26 -0700 


    [ 
https://issues.apache.org/jira/browse/JCRVLT-427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17089346#comment-17089346
 ] 

Angela Schreiber commented on JCRVLT-427:
-----------------------------------------

[~tripod], thanks for the insight... so the problem is that the hooks allow for 
code execution, which is not covered by any privileges because the repository 
is not aware of the subtleties of the layers above the repository that fail to 
properly separate between application code and content. and since executing 
code may lead to complete system takeover and thus was considered a privilege 
escalation, which was prevented by making this feature available to those users 
that anyway have full access.

[~henzlerg], as far as i know the list of paths that contain application code 
is configurable as well and just assuming that it's just /libs and /apps might 
not be true. also, you can test if a given session has the ability to write at 
a given path but if i remember correctly it's not possible to know if the whole 
subtree is writable. i am not sure from your suggestion, which of the two you 
were envisioning.

> Allow installation of packages with hook for users without admin privileges
> ---------------------------------------------------------------------------
>
>                 Key: JCRVLT-427
>                 URL: https://issues.apache.org/jira/browse/JCRVLT-427
>             Project: Jackrabbit FileVault
>          Issue Type: Improvement
>          Components: vlt
>            Reporter: Konrad Windszus
>            Assignee: Konrad Windszus
>            Priority: Major
>             Fix For: 3.4.6
>
>
> Currently due to the check in 
> https://github.com/apache/jackrabbit-filevault/blob/e257001ec22ea06bcc987cbf79f0cc9b15c4e186/vault-core/src/main/java/org/apache/jackrabbit/vault/packaging/impl/ZipVaultPackage.java#L184
>  packages containing a hook can only be installed by admins.
> Although I do understand the intent of that I think this is not flexible 
> enough as currently that only gives the rights to users "admin", "system" or 
> members of group "administrators". Instead there should be an OSGi 
> configuration which allows to configure to grant the right to install 
> packages with hooks to other groups as well!



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to