#403 ✓resolved
Steven Kluth

Security Hole: "New Job..." UI button bypasses aclpolicy file entries

Reported by Steven Kluth | July 28th, 2011 @ 02:04 PM | in Rundeck 1.4 (closed)

In a project where an end-user is configured to have read-only access to some job folders, and read/write/create access to others via the .aclpolicy file, enabling the ui/create ACL bypasses the security placed on the read-only folder structure during job creation time, allowing the user to create and execute (one time only) a job in the previously restricted folder space.

Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

(DEPRECATED) Please use github issues for issue tracking at http://github.com/dtolabs/rundeck/issues

Shared Ticket Bins

People watching this ticket

Pages