Yes. Only admins can use webconsole, so the web console user can modify the
roles required for shell:exec to match themselves.

I guess what I am really saying is that I want a non admin user to be able
to use web console.

Even if I do stop a webconsole user from executing shell:exec, there is
nothing to stop them loading a bundle that does whatever they want. So it
would just be raising the bar for a malicious admin user.

I think I may look at running karaf inside some sort of container (chroot,
Docker) to reduce the rick of granting Karaf adamin rights where I don't
want to give an OS login.

Thanks.

Paul

On 9 December 2016 at 12:36, Jean-Baptiste Onofré <[email protected]> wrote:

> By command, you mean shell:exec ? The acl should already prevent execution
> if the user doesn't have in the expected role.
>
> Regards
> JB
>
> On 12/09/2016 01:30 PM, Paul McCulloch wrote:
>
>> That would be ideal, but right now I'm looking for any way to prevent
>> access to these (very dangerous I think) commands.
>>
>> On 9 December 2016 at 12:08, Jean-Baptiste Onofré <[email protected]
>> <mailto:[email protected]>> wrote:
>>
>>     Hi Paul,
>>
>>     So basically, you want RBAC on the webconsole. Correct ?
>>
>>     It's not possible today without changing the webconsole. It's a good
>>     idea to add such feature.
>>
>>     Regards
>>     JB
>>
>>
>>     On 12/09/2016 12:52 PM, Paul McCulloch wrote:
>>
>>         Hi,
>>
>>         I'm trying to prevent access to shell:exec from the console to
>>         try and
>>         harden my karaf install.
>>
>>         I can revoke access from an admin user with "config:property-set
>> -p
>>         org.apache.karaf.command.acl.shell exec uberadmin". I can also
>>         prevent
>>         the user from using config:property-set from restoring the
>>         permissions.
>>
>>         What I can't seem to do is prevent an admin user from restoring
>>         permissions via the web console's Configuration gui.
>>
>>         I want to permit remote access to the web console, but I don't
>>         want to
>>         give users the ability to run arbitrary commands on the server.
>>
>>         Thanks,
>>
>>         Paul
>>
>>
>>     --
>>     Jean-Baptiste Onofré
>>     [email protected] <mailto:[email protected]>
>>     http://blog.nanthrax.net
>>     Talend - http://www.talend.com
>>
>>
>>
> --
> Jean-Baptiste Onofré
> [email protected]
> http://blog.nanthrax.net
> Talend - http://www.talend.com
>

Reply via email to