[rt-users] Security/restrictions/revocation/removal of RSS and iCal feeds in RT and related issue of open access through "Go to Ticket ..." box in SelfService

Kevin Falcone falcone at bestpractical.com
Wed Feb 5 10:27:59 EST 2014 

On Tue, Feb 04, 2014 at 03:48:34PM -0800, Duncan Napier wrote:
> One of the Admins has requested access to the contents of a queue be
> given to a small group of unprivileged users. The most obvious way is
> to use a query to generate an RSS feed. So far so good. However, we
> may want to restrict access of the feed to a select few people in the
> organization. One way is to keep the feed URL confidential. This might
> work, but I was wondering is there is anything more robust than security-through-
> secrecy. Also I cannot find any way to manage the RSS feeds such as
> deleting or shutting it down when it has outlived its usefulness. Can
> anyone suggest where I can find this out.

Nothing other than custom dev comes to mind.  You can clear all RSS
feeds related to an account using the Secret Authentication Token box
on user account pages.  This will disable all the RSS/ical feeds
associated with the account.  You cannot currently generate an
auth-token per feed.

> 
> Another related topic is the "Go to Ticket ..." box where unprivileged
> users using the SelfServe interface can type in any ticket IDnumber
> and access the entire ticket. I can see how useful this is, but I'm
> wondering how to restrict access to this practice in the case where
> each tickets is to be considered confidential/privileged between each
> staff member and the support Administrators. So far, there is no issue
> of confidentiality in our organization, but it may come to the
> attention of management that naiive staff or even people who should
> know better and show lack of judgement by disclosing passwords, access
> codes or confidential information in their support requests that may
> be read or mined by others without privilege to this information.

I'd like to address a misunderstanding here.

    RT does *not* allow access to any ticket just by knowing the ID.

You've granted ShowTicket to Unprivileged or Everyone or otherwise
handed it out to broadly.  This is a security concern, but it is not in
RT, it is in your permissions.

It is likely you meant to give Privileged ShowTicket and then give
Requestors and Ccs ShowTicket so they can see their *own* tickets.

If you'd like a demonstration of this, go to
http://issues.bestpractical.com and click the 'Log in as Guest' button
and attempt to view ticket 13776 which is in a restricted Queue where
Guest does not have ShowTicket permissions.

-kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 235 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20140205/a276ab5a/attachment.sig>

More information about the rt-users mailing list