[rt-users] urgent: disable search for new watchers
Ken Crocker
kfcrocker at lbl.gov
Thu Jun 18 12:08:38 EDT 2009
Jerrad,
Yes, but you can keep them out of other accounts by removing so many
global privileges and making them "Queue-level" privileges. That way, no
one can get into a Queue unless specifically allowed to by privileges.
Kenn
LBNL
On 6/18/2009 8:31 AM, Jerrad Pierce wrote:
> On Thu, Jun 18, 2009 at 11:27, Ken Crocker<kfcrocker at lbl.gov> wrote:
>
>> Why is it a security issue? If your privileges are allowing them to
>> go to a user "Preferences", then I understand, but to just know what
>> UserIds are on the system doesn't seem like a big deal to me.
>>
> It gives them in a edge into trying to crack other accounts, because
> they then already have half the authentication pair. On the other hand,
> they can already determine the name of a privileged user by looking at
> who owns their ticket or otherwise converse with them via RT.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20090618/1864050f/attachment.htm>
More information about the rt-users
mailing list