[rt-users] Couple of RT questions

[Tobias Brox]

> o There doesn't appear to be any command-line security (anyone
>   who has access to execute the command can manipulate the queues).

The login name is taken as the RT userid.  That means if you have a root
user in RT with full access, and you run the CLI as root, you can do
anything.  It's not a nice thing to do, though, as the transactions will
be recorded as done by "Enoch Root" or something similar.

This makes sense, people should generally not do such things while logged
in as root, and people who have root access to the box can, by theory and
by definition, do anything (s)he likes with the box.  If you actually
execute rt as a user that shouldn't have access, and you get access, there
is something seriously wrong somewhere.

>   I tried chmod-ing the suid_wrapper to not allow global execution,
>   but then the web-server fails to execute it.

chmoding the suid_wrapper is not the right thing to do.

>   Would changing the group to the webserver's group and allow group 
>   execution be sufficient to secure this off, or is it vital that 
>   the commands to be executed by anyone?

RT1 needs to read the password from the config file, and it needs to write
and read stuff to the transaction dir.  The config file should only be
readable by rt, and the transaction dir should only be read/writeable for
rt - so rt has to be run as the rt user.

>   I assume that the authentication is the responsibility of the UI,
>   is that correct?

Yes.

> o When using the web interface, I try to bookmark some locations
>   (such as the direct ticket display, or a predefined queue view).
>   However, if I try to access that before I authenticate, the 
>   authenticate screen comes up, but after authentication it reverts
>   to the default queue view.

Yikes.  I thought we had fixed that ages ago.  I guess it's not in the
public version.

-- 
Tobias Brox 
aka TobiX
+47 22 925 871