opendev/gerrit
Code Issues Proposed changes

Remove the generateHttpPassword capability

Browse Source 
Remove the Generate HTTP Password capability because it exposes a
security vulnerability.  Any user that is granted this capability
can modify an administrator's http password and impersonate the
admin user.  Other reasons for removing this capability are that
the usage of it is inconsistent with the modifyAccount capability
and this capability encourages adding additional capabilities to
restrict permissions, which is not desired.

With this change only administrators are allowed to generate and
delete other users' http passwords.

The motivation behind this change is from comments in changes
Ib1971fad and If8296539.

Change-Id: Id907cc103591eed029fd08af700bb1bb6a618ff8
This commit is contained in:
Khai Do
2014-09-25 13:59:28 -07:00
parent c563e98d9b
commit cf9bce2191
9 changed files with 5 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Documentation/cmd-set-account.txt
View File

@@ -29,9 +29,7 @@ link:access-control.html#capability_modifyAccount[the 'Modify Account' global ca
To set the HTTP password for the user account (option --http-password) or
to clear the HTTP password (option --clear-http-password) caller must be
a member of the privileged 'Administrators' group, or have been granted
link:access-control.html#capability_generateHttpPassword[the 'Generate HTTP Password' global capability]
in addition to 'Modify Account' global capability.
a member of the privileged 'Administrators' group.
== SCRIPTING
This command is intended to be used in scripts.