Ticket UUID: | c9e84b567178d755d216f095ca98da3a92d6a4cd | ||
Title: | fossil treats anybody connecting from 127.0.0.1 as user with UID 1 | ||
Status: | Closed | Type: | Feature_Request |
Severity: | Severe | Priority: | |
Subsystem: | Resolution: | Not_A_Bug | |
Last Modified: | 2010-11-18 08:18:25 | ||
Version Found In: | 9c31866404 | ||
Description & Comments: | |||
Even in server mode, fossil considers any user connecting from 127.0.0.1 to be super user. It seems like no policy mechanism is in effect whatsoever. This is especially troubling in case you are proxy-ing traffic from a web server (say lighttpd) to a fossil instance in server mode, where both programs run on the same machine.
Also, when connecting to a fossil server over SSH and both SSHd and fossil run on the same machine, your connection is considered to originate from 127.0.0.1. No policy can be applied on such users and anybody connecting in this way is treated as super user. This not only affects fossil in server mode but also fossil running as CGI executed by web server, if the web server and SSHd are on the same machine. anonymous added on 2010-11-18 01:46:21: drh added on 2010-11-18 02:38:50: anonymous added on 2010-11-18 08:18:25: |