Yes. Only admins can use webconsole, so the web console user can modify the roles required for shell:exec to match themselves.
I guess what I am really saying is that I want a non admin user to be able to use web console. Even if I do stop a webconsole user from executing shell:exec, there is nothing to stop them loading a bundle that does whatever they want. So it would just be raising the bar for a malicious admin user. I think I may look at running karaf inside some sort of container (chroot, Docker) to reduce the rick of granting Karaf adamin rights where I don't want to give an OS login. Thanks. Paul On 9 December 2016 at 12:36, Jean-Baptiste Onofré <[email protected]> wrote: > By command, you mean shell:exec ? The acl should already prevent execution > if the user doesn't have in the expected role. > > Regards > JB > > On 12/09/2016 01:30 PM, Paul McCulloch wrote: > >> That would be ideal, but right now I'm looking for any way to prevent >> access to these (very dangerous I think) commands. >> >> On 9 December 2016 at 12:08, Jean-Baptiste Onofré <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi Paul, >> >> So basically, you want RBAC on the webconsole. Correct ? >> >> It's not possible today without changing the webconsole. It's a good >> idea to add such feature. >> >> Regards >> JB >> >> >> On 12/09/2016 12:52 PM, Paul McCulloch wrote: >> >> Hi, >> >> I'm trying to prevent access to shell:exec from the console to >> try and >> harden my karaf install. >> >> I can revoke access from an admin user with "config:property-set >> -p >> org.apache.karaf.command.acl.shell exec uberadmin". I can also >> prevent >> the user from using config:property-set from restoring the >> permissions. >> >> What I can't seem to do is prevent an admin user from restoring >> permissions via the web console's Configuration gui. >> >> I want to permit remote access to the web console, but I don't >> want to >> give users the ability to run arbitrary commands on the server. >> >> Thanks, >> >> Paul >> >> >> -- >> Jean-Baptiste Onofré >> [email protected] <mailto:[email protected]> >> http://blog.nanthrax.net >> Talend - http://www.talend.com >> >> >> > -- > Jean-Baptiste Onofré > [email protected] > http://blog.nanthrax.net > Talend - http://www.talend.com >
