User without %Service_Login:U privilege gets a terminal with $username="irisowner" (or other IRIS startup account)

caretdev / iterm

MIT License

0 stars 1 forks source link

User without %Service_Login:U privilege gets a terminal with $username="irisowner" (or other IRIS startup account) #2

Open gjsjohnmurray opened 2 months ago

gjsjohnmurray commented 2 months ago

Create a user with only the %DB_IRISSYS role.
Launch iterm.
Authenticate as this user.
At the iterm prompt write $username and $roles.

🐛 You are running as the IRIS user corresponding to the Linux userid IRIS was started as, and you have the %All role

In step 1 you probably only need a role that gets you %DB_IRISSYS:U

gjsjohnmurray commented 2 months ago

https://github.com/caretdev/iterm/blob/9de583eb9ff58ef41ea3f7b429239a4f5083338e/src/iTerm/Engine.cls#L74-L75

I don't think this check is needed. Doc for the Login method says this permission is only required when passing a password, and then it's the caller who must have the permission, not the user that the caller is logging in.