Project

General

Profile

Bug #10544

It's not possible to add a user to group operator using the gui

Added by Craig Leres about 2 months ago. Updated about 2 months ago.

Status:
Pull Request Review
Priority:
Normal
Assignee:
-
Category:
User Manager / Privileges
Target version:
-
Start date:
05/09/2020
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.2.6
Affected Architecture:

Description

I wanted to create a backup user that could dump the filesystem. I used the gui to create group operator which created an additional operator group with gid 2002.

I think the way to fix this is to check for a system (/etc/group) gid before assigning a completely new one.

History

#1 Updated by Craig Leres about 2 months ago

Here's a pull request that implements my fix: #4314

#2 Updated by Jim Pingle about 2 months ago

  • Status changed from New to Pull Request Review

Need to think on this a bit. It seems OK from a technical point of view, but security-wise, I'm not so certain. It may be too easy for an admin to unintentionally grant someone elevated shell privileges by using a special existing group name without realizing what they are doing.

Also available in: Atom PDF