accesscontroltool icon indicating copy to clipboard operation
accesscontroltool copied to clipboard

Published 20 hours ago verified publisher icon Netcentric

WARN when configuring UploadListenerService

Open kwin opened this issue 1 year ago • 1 comments

Currently the UploadListenerService can be configured for arbitrary paths. Whenever some YAML is then placed in those paths, they are automatically executed with the service user (which is having lots of permissions). As this can easily lead to situations with privilege escalation (i.e. users can grant themselves or others permissions, even if they should not by just placing a YAML file in a certain directory)

Therefore the listener shouldn't be used in most of the cases and using it should lead to a WARN. Preferably only install hooks or JMX (which require admin permissions) should be used for installing YAMLs.

kwin avatar Mar 02 '23 12:03 kwin

The same config is being used for https://github.com/Netcentric/accesscontroltool/blob/develop/docs/ApplyConfig.md#startup-hook, though.

kwin avatar Mar 20 '23 11:03 kwin