[SAC] LDAP users still being created during maintainance

Alex M tech_dev at wildintellect.com
Wed May 11 09:49:30 PDT 2016 

That's also a huge barrier to new users. Email confirmation is higher
priority to me. We could modify the Maintenance page, to say that during
maintenance new users need to contact an admin to have an account
created. But yes without the email confirmation/ability of users to
set/reset their own passwords, we make temp passwords and send via email
(currently how resets work).

-Alex

On 05/11/2016 09:45 AM, Sandro Santilli wrote:
> On Wed, May 11, 2016 at 09:05:24AM -0700, Frank Warmerdam wrote:
>> I did this.
>>
>> People need to create IDs!
> 
> How about moving the creation script under auth/, allowing
> users from specific project groups to create more users ?
> 
> Then the maintainance page could report something like:
> "ask another OSGeo User to create the account for you"
> 
> But I understand this would be problematic as whoever creates
> the user needs to know the user password, correct ?
> 
> --strk;
> 
>> On May 11, 2016 8:46 AM, "Sandro Santilli" <strk at keybit.net> wrote:
>>
>>> I spotted a new user which was created _after_ we put the form
>>> back to maintainance mode. The POST was directly done to the
>>> renamed script. I think the renamed script URL was at some point
>>> found in the form but I don't know who made the change.
>>>
>>> The files modification dates are (UTC):
>>>
>>>    May 10 06:41 for the renamed script with exposed new url
>>>    May  9 13:39 for the renamed script with no exposed new url
>>>    May  9 18:31 when the form was put in maintainance mode
>>>
>>> The POST to renamed script happened 24 hours after the exposed url
>>>
>>>    11/May/2016:05:54:01 -0700
>>>
>>> And resulted in the creation of a "vvk" user (with .ru email address):
>>>
>>>    createTimestamp: 20160511125401Z
>>>
>>> The POST came from ip 77.242.110.178, which also issued a GET
>>> for the the renamed-form URL at:
>>>
>>>    11/May/2016:05:51:36 -0700
>>>
>>> The very first request to the renamed script was issued on
>>>
>>>    [09/May/2016:22:59:33 -0700] from 173.247.202.130
>>>    That is:  May 10 05:59 UTC
>>>
>>> For now I removed the execute bit from the disabled script, but let
>>> me know if it was an "internal" backdoor legitimately used.
>>>
>>> --strk;
> _______________________________________________
> Sac mailing list
> Sac at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/sac
>

More information about the Sac mailing list