Do users grant permissions to groups?! Is the error message wrong?
10 views
Skip to first unread message
Klaus Thorn
Aug 28, 2019, 8:01:36 AM8/28/19
to trac-...@googlegroups.com
1. I log into Admin-Webfrontend of trac 1.2.3
2. Add user to group (under certain permission-conditions that i do not
yet understand)
3. The (better formatted than below) error message appears:
"The subject %(subject)s was not added to the group %(group)s because the "
"group has %(perm)s permission and users cannot grant permissions they "
"don't possess."
In my understanding of English and trac, adding a user to a group gives
permissions of the group TO the user. That's my reason to add them,
anyway. But the error message suggests that the user gives the
permission (to whom?!).
Also confusing:
Via command line, trac DOES add this user to this group,
and without error.
trac-admin ... permission add user @group
--
Freundliche Grüße / Best Regards
Klaus Thorn
------------------------------------------------------------------------
easydb - manage your data
Sysadmin
Programmfabrik GmbH | Schwedter Straße 9B | 10119 Berlin | Germany
fon: +49-(0)30-40 50 579-0 | fax: +49-(0)30-40 50 579-19
programmfabrik.de | easydb.de | twitter.com/programmfabrik
2. Add user to group (under certain permission-conditions that i do not
yet understand)
3. The (better formatted than below) error message appears:
"The subject %(subject)s was not added to the group %(group)s because the "
"group has %(perm)s permission and users cannot grant permissions they "
"don't possess."
In my understanding of English and trac, adding a user to a group gives
permissions of the group TO the user. That's my reason to add them,
anyway. But the error message suggests that the user gives the
permission (to whom?!).
Also confusing:
Via command line, trac DOES add this user to this group,
and without error.
trac-admin ... permission add user @group
--
Freundliche Grüße / Best Regards
Klaus Thorn
------------------------------------------------------------------------
easydb - manage your data
Sysadmin
Programmfabrik GmbH | Schwedter Straße 9B | 10119 Berlin | Germany
fon: +49-(0)30-40 50 579-0 | fax: +49-(0)30-40 50 579-19
programmfabrik.de | easydb.de | twitter.com/programmfabrik
RjOllos
Aug 28, 2019, 8:07:00 PM8/28/19
to Trac Users
On Wednesday, August 28, 2019 at 5:01:36 AM UTC-7, Klaus Thorn wrote:
1. I log into Admin-Webfrontend of trac 1.2.3
2. Add user to group (under certain permission-conditions that i do not
yet understand)
3. The (better formatted than below) error message appears:
"The subject %(subject)s was not added to the group %(group)s because the "
"group has %(perm)s permission and users cannot grant permissions they "
"don't possess."
In my understanding of English and trac, adding a user to a group gives
permissions of the group TO the user. That's my reason to add them,
anyway. But the error message suggests that the user gives the
permission (to whom?!).
Also confusing:
Via command line, trac DOES add this user to this group,
and without error.
trac-admin ... permission add user @group
You won't see the error if you possess TRAC_ADMIN permission.
If you have PERMISSION_GRANT (1), but not TRAC_ADMIN, then you must be granted all of the permissions of the group in order to grant those permissions to a user. Otherwise, you could elevate your own privileges, or the privileges of others. In the extreme case, you could grant yourself TRAC_ADMIN.
Example: Suppose group1 has TICKET_ADMIN and you are not a member of group1 and do not possess TICKET_ADMIN. Then you cannot add a user to group1. If this was allowed, you could elevate your own permissions by adding yourself to group1 and granting yourself TICKET_ADMIN.
- Ryan
Kris Deugau
Aug 29, 2019, 10:27:46 AM8/29/19
to trac-...@googlegroups.com
user trying to make the change, not the user the change is being applied to.
When using trac-admin from the command line, you have TRAC_ADMIN more or
less by definition.
> Example: Suppose group1 has TICKET_ADMIN and you are not a member of
> group1 and do not possess TICKET_ADMIN. Then you cannot add a user to
> group1. If this was allowed, you could elevate your own permissions by
> adding yourself to group1 and granting yourself TICKET_ADMIN.
>
> (1) https://trac.edgewall.org/wiki/TracPermissions#Permissions
along the lines of:
"The subject %(subject)s was not added to the group %(group)s
permissions you do not possess."
Listing the permissions you don't have is an information disclosure that
may be a security violation in some environments.
-kgd
Klaus Thorn
Aug 30, 2019, 9:56:27 AM8/30/19
to trac-...@googlegroups.com
On 29.08.2019 02:06, RjOllos wrote:
> If you have PERMISSION_GRANT (1), but not TRAC_ADMIN, then you must be
> granted all of the permissions of the group in order to grant those
> permissions to a user.
... "group has %(perm)s permission but you do not and you cannot "
"grant permissions you don't possess (except with TRAC_ADMIN)."
best regards,
klaus
RjOllos
Sep 18, 2019, 10:55:25 PM9/18/19
to Trac Users
I'd say that you really shouldn't give PERMISSION_ADMIN to any user you don't trust enough to know the permissions of the environment. Suppose we don't list the permission, and just tell the user that they cannot grant the permission, the user could infer permissions by testing which they are able to grant.
- Ryan
RjOllos
Sep 18, 2019, 10:56:06 PM9/18/19
to Trac Users
I'll give some thought to improving the warning message:
- Ryan
Reply all
Reply to author
Forward
0 new messages