[rt-users] urgent: disable search for new watchers

Ken Crocker kfcrocker at lbl.gov
Thu Jun 18 12:08:38 EDT 2009


Jerrad,

    Yes, but you can keep them out of other accounts by removing so many 
global privileges and making them "Queue-level" privileges. That way, no 
one can get into a Queue unless specifically allowed to by privileges.

Kenn
LBNL

On 6/18/2009 8:31 AM, Jerrad Pierce wrote:
> On Thu, Jun 18, 2009 at 11:27, Ken Crocker<kfcrocker at lbl.gov> wrote:
>   
>>    Why is it a security issue? If your privileges are allowing them to
>> go to a user "Preferences", then I understand, but to just know what
>> UserIds are on the system doesn't seem like a big deal to me.
>>     
> It gives them in a edge into trying to crack other accounts, because
> they then already have half the authentication pair. On the other hand,
> they can already determine the name of a privileged user by looking at
> who owns their ticket or otherwise converse with them via RT.
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20090618/1864050f/attachment.htm>


More information about the rt-users mailing list