On 10/06/2016 12:43 PM, Dominic Cleal wrote:
> On 06/10/16 11:33, Jorick Astrego wrote:
>> For troubleshooting I used the foreman-rake console with "User.current =
>> User.anonymous_admin".
>>
>> This enables me to do several things to our foreman environment without
>> authenticating. How can I disable this for security purposes?
> You can't, and it'd be rather pointless as it's trivial to work around.
> The console is a fully interactive Ruby script that you're executing, so
> any in-process security measure can be bypassed easily.
>
> Executing any foreman-rake command successfully indicates you already
> have direct access to the database because the console process itself
> connects to the DB. Probably via a Unix domain socket and optionally
> with username/password stored in /etc/foreman/database.yml.
>
> You should restrict access to the database and credentials to tighten
> security, not try to restrict behaviour of this one script that accesses it.
>
Thanks for the info!
My knowledge of ruby is not so great, so I hadn't realized it was
talking to the db.
I'll have to dive more into it ;-)
Met vriendelijke groet, With kind regards,
Jorick Astrego
Netbulae Virtualization Experts
----------------
Tel: 053 20 30 270 [email protected] Staalsteden 4-3A
KvK 08198180
Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede
BTW NL821234584B01
----------------
--
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
