Impersonation feature, was: Re: [VOTE] [RELEASE] Apache OFBiz 17.12.01 (full version), vote #3

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Impersonation feature, was: Re: [VOTE] [RELEASE] Apache OFBiz 17.12.01 (full version), vote #3

Michael Brohl-3
*creating a new thread to leave the vote thread untouched*


In my understanding from the previous threads about the impersonation
features, it is disabled by default and must be enabled explicitly.

Using this feature and dealing with the consequences is up to the user
then. So I see no valid concern to have this feature in the codebase.

Am I missing something?

Michael Brohl

ecomify GmbH - www.ecomify.de

Am 28.02.20 um 08:49 schrieb Gil Portenseigne:

> Hello Pierre,
>
> If you are talking about impersonation feature, that is not in the 17.12
> branch.
>
> In either way, administrative tools, if we got access to it, allow what
> your are saying. But there is no security issue that grant these
> privilege we are aware of. If you do, please share to the security list.
>
> I'm open to discuss about the "criminal" aspect of the impersonation
> feature, but not on this thread.
>
> Gil
>
> On Fri, Feb 28, 2020 at 02:54:01AM +0100, Pierre Smits wrote:
>> -1
>>
>> As this release contains software elements that will enable criminal
>> parties to gain access to the implemented OFBiz system of a user (a
>> business organisation) and impersonate valid users with the intent to bring
>> harm to the aforementioned business organisation through transactions
>> registered by the impersonated valid user..
>>
>> Met vriendelijke groet,
>>
>> Pierre Smits


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Impersonation feature, was: Re: [VOTE] [RELEASE] Apache OFBiz 17.12.01 (full version), vote #3

Gil Portenseigne
You understand correctly, and moreover a specific permission must be
granted to allow the user to impersonate another one. And we even added
another security to not allow impersonating a user with more permission
than ourselves.

When we contributed the feature, it was discussed, and improved
regarding the concern that were expressed. And i'm glad that was done
this way (improvement through discussion).

Gil

On Fri, Feb 28, 2020 at 09:01:30AM +0100, Michael Brohl wrote:

> *creating a new thread to leave the vote thread untouched*
>
>
> In my understanding from the previous threads about the impersonation
> features, it is disabled by default and must be enabled explicitly.
>
> Using this feature and dealing with the consequences is up to the user then.
> So I see no valid concern to have this feature in the codebase.
>
> Am I missing something?
>
> Michael Brohl
>
> ecomify GmbH - www.ecomify.de
>
> Am 28.02.20 um 08:49 schrieb Gil Portenseigne:
> > Hello Pierre,
> >
> > If you are talking about impersonation feature, that is not in the 17.12
> > branch.
> >
> > In either way, administrative tools, if we got access to it, allow what
> > your are saying. But there is no security issue that grant these
> > privilege we are aware of. If you do, please share to the security list.
> >
> > I'm open to discuss about the "criminal" aspect of the impersonation
> > feature, but not on this thread.
> >
> > Gil
> >
> > On Fri, Feb 28, 2020 at 02:54:01AM +0100, Pierre Smits wrote:
> > > -1
> > >
> > > As this release contains software elements that will enable criminal
> > > parties to gain access to the implemented OFBiz system of a user (a
> > > business organisation) and impersonate valid users with the intent to bring
> > > harm to the aforementioned business organisation through transactions
> > > registered by the impersonated valid user..
> > >
> > > Met vriendelijke groet,
> > >
> > > Pierre Smits
>


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Impersonation feature, was: Re: [VOTE] [RELEASE] Apache OFBiz 17.12.01 (full version), vote #3

Pierre Smits-3
Are we confident that documentation and/or logging/audit capabilities are
up to (potential) expectations?

Met vriendelijke groet,

Pierre Smits
*Proud* *contributor** of* Apache OFBiz <https://ofbiz.apache.org/> since
2008 (without privileges)

*Apache Trafodion <https://trafodion.apache.org>, Vice President*
*Apache Directory <https://directory.apache.org>, PMC Member*
Apache Incubator <https://incubator.apache.org>, committer
Apache Steve <https://steve.apache.org>, committer


On Fri, Feb 28, 2020 at 9:15 AM Gil Portenseigne <
[hidden email]> wrote:

> You understand correctly, and moreover a specific permission must be
> granted to allow the user to impersonate another one. And we even added
> another security to not allow impersonating a user with more permission
> than ourselves.
>
> When we contributed the feature, it was discussed, and improved
> regarding the concern that were expressed. And i'm glad that was done
> this way (improvement through discussion).
>
> Gil
>
> On Fri, Feb 28, 2020 at 09:01:30AM +0100, Michael Brohl wrote:
> > *creating a new thread to leave the vote thread untouched*
> >
> >
> > In my understanding from the previous threads about the impersonation
> > features, it is disabled by default and must be enabled explicitly.
> >
> > Using this feature and dealing with the consequences is up to the user
> then.
> > So I see no valid concern to have this feature in the codebase.
> >
> > Am I missing something?
> >
> > Michael Brohl
> >
> > ecomify GmbH - www.ecomify.de
> >
> > Am 28.02.20 um 08:49 schrieb Gil Portenseigne:
> > > Hello Pierre,
> > >
> > > If you are talking about impersonation feature, that is not in the
> 17.12
> > > branch.
> > >
> > > In either way, administrative tools, if we got access to it, allow what
> > > your are saying. But there is no security issue that grant these
> > > privilege we are aware of. If you do, please share to the security
> list.
> > >
> > > I'm open to discuss about the "criminal" aspect of the impersonation
> > > feature, but not on this thread.
> > >
> > > Gil
> > >
> > > On Fri, Feb 28, 2020 at 02:54:01AM +0100, Pierre Smits wrote:
> > > > -1
> > > >
> > > > As this release contains software elements that will enable criminal
> > > > parties to gain access to the implemented OFBiz system of a user (a
> > > > business organisation) and impersonate valid users with the intent
> to bring
> > > > harm to the aforementioned business organisation through transactions
> > > > registered by the impersonated valid user..
> > > >
> > > > Met vriendelijke groet,
> > > >
> > > > Pierre Smits
> >
>
>
>