FusionAuth / fusionauth-issues

FusionAuth issue submission project
https://fusionauth.io
91 stars 12 forks source link

Grant yourself the Global Admin role #2170

Open rob84 opened 1 year ago

rob84 commented 1 year ago

Grant yourself the Global Admin role

Description

If a user has the role "user_manager" he is able to get the Global Admin role (admin) in two steps:

  1. He creates a new user and grant the role "admin"
  2. login with the new created user and grant the original user the admin role.

The first step should not be possible.

Affects versions

1.42.0

Steps to reproduce

Steps to reproduce the behavior:

  1. Go to 'Users'
  2. Click on 'Add user'
  3. Select Tenant Default (FusionAuth)
  4. fill the form and set a password
  5. Go to 'Users' and search the new user
  6. Click on 'Add registration'
  7. Select Application 'FusionAuth'
  8. Select Role 'admin' this is the main issue / you can also give access to other roles that you don't have
  9. Click on 'Save'

Grant yourself:

  1. Login with the new user
  2. search your origin user
  3. grant user role 'admin'

Expected behavior

It should not be possible to give more roles than your own set.

Screenshots

This user has only the Role "User Manager" (see the empty menu) and can give more rights/roles to other. image

Platform

(Please complete the following information)

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Additional context

nothing

robotdan commented 1 year ago

This is a known escalation path. You should consider user_manager an admin for this reason. Instead you should use user_support_manager.

I want to allow L1 support into the FusionAuth admin UI and limit their capability. There is a user_manager role today, but because this use can manage users and registrations, this mostly makes this role an admin.

I think this is documented somewhere, we'll review our doc to ensure this is stated somewhere.

We have discussed changing the user_manager role, however I don't know that it is possible to restrict this user from becoming admin. Even if you restrict the user from changing their own registration, this user could simply create a new user as admin, and then log in as this user.

I suppose the only way to lock it down would be to restrict this user from managing registrations for the FusionAuth app all together. But this would be a breaking change that some may rely upon. But even in this case, they could create themselves a user that is an admin in another app which may or may not have access to create FusionAuth admin users. It is tricky.