[rt-users] A privilege user can "Autocreate a user added as a watcher" without rights

Carlos Crembil ccrembil at openware.biz
Mon Apr 4 01:56:57 EDT 2005 




PROBLEM
A privileged user does not have the right 'AdminUsers'. But presses the
"New ticket in" button, creates a ticket with a fake requestor address, and
the system creates a non privileged account with this address.

SCENARIO
I'm running RT 3.4.0 over Linux Suse 9.2.
The privileged account is just a member of Everyone and Privileged groups.
The ticket is created in a queue named "Helpdesk" (and also happens in
other queues).

My system has the following rights:
Queue group rights:
 - ReplyToTicket, SeeQueue, and ShowTicket to Everyone
 - CommentOnTicket, CreateTicket, ModifyTicket, ShowTicketComments to
Privileged
 - CreateTicket to Non privileged
 - ModifyTicket to Requestor
Queue user right:
 - none
Global user rights:
 - SuperUser to root.
Global group rights:
 - ModifySelf to Everyone.

DEBUGGING
The function HasRight() inside module "lib/RT/Principal_Overlay.pm" gets
the arguments "AdminUsers" and "RT::System", and makes the following SQL
query:
SELECT ACL.id from ACL, Groups, Principals, CachedGroupMembers WHERE
      (ACL.RightName = 'SuperUser' OR  ACL.RightName = 'AdminUsers') AND
      Principals.Disabled = 0 AND
      CachedGroupMembers.Disabled = 0  AND
      Principals.id = Groups.id AND
      Principals.id = CachedGroupMembers.GroupId AND
      CachedGroupMembers.MemberId = '1' AND
      ( ACL.ObjectType = 'RT::System' OR
            (ACL.ObjectType = 'RT::System' AND ACL.ObjectId = '1')) AND
      ( (  ACL.PrincipalId = Principals.id AND
            ACL.PrincipalType = 'Group' AND
            (Groups.Domain = 'SystemInternal' OR
            Groups.Domain = 'UserDefined' OR
            Groups.Domain = 'ACLEquivalence' OR
            Groups.Domain = 'Personal')) )  LIMIT 1

This query returns 1 row, with id=1. The complete row for this query is
+----+---------------+-------------+-----------+------------+----------+-------------+---------------+----+--------+-----------------------+----------------+-----------+----------+----+---------------+----------+----------+----+---------+----------+------+-------------------+----------+
| id | PrincipalType | PrincipalId | RightName | ObjectType | ObjectId |
DelegatedBy | DelegatedFrom | id | Name   | Description           | Domain
| Type      | Instance | id | PrincipalType | ObjectId | Disabled | id |
GroupId | MemberId | Via  | ImmediateParentId | Disabled |
+----+---------------+-------------+-----------+------------+----------+-------------+---------------+----+--------+-----------------------+----------------+-----------+----------+----+---------------+----------+----------+----+---------+----------+------+-------------------+----------+
|  1 | Group         |           2 | SuperUser | RT::System |        1 |
0 |             0 |  2 | User 1 | ACL equiv. for user 1 | ACLEquivalence |
UserEquiv |        1 |  2 | Group         |        2 |        0 |  2 |
2 |        1 |    2 |                 2 |        0 |
+----+---------------+-------------+-----------+------------+----------+-------------+---------------+----+--------+-----------------------+----------------+-----------+----------+----+---------------+----------+----------+----+---------+----------+------+-------------------+----------+

QUESTIONS
Why does this user inherits SuperUser rights?
Is this a bug?
Has anyone had the same problem?

Regards,

Carlos Crembil
Professional Services
http://openware.biz
eMail: ccrembil at openware.biz

More information about the rt-users mailing list