Galaxy admins, a couple questions:
- If you're running galaxy with REMOTE_USER authentication, do you have local users on the same box?
- If you do, have you done anything to mitigate administrator impersonation in galaxy?
We currently have galaxy deployed on a box that acts as a classroom server. I was poking around and noticed that it was trivial to make curl requests with the REMOTE_USER variable set, and impersonate an admin.
I've been considering solutions to this and arrived on the conclusion that the interface should require a "password" in addition to REMOTE_USER being set. That is, a header with a long random string should be required to be set in the reverse proxy configs, as well as being checked on the galaxy side much like how REMOTE_USER is checked.
Center for Phage Technology
Texas A&M Univesity
College Station, TX 77843
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/