Page MenuHomePhabricator
Create Task
Maniphest T7667

Provide `auth lock` and `auth unlock` to restrict authentication provider management to the CLI
Closed, ResolvedPublic
Actions

Description

See some discussion in T6755. Providing auth lock and auth unlock commands would moderately increase the security of installs in the face of a compromised administrative account. There is normally very little need to edit authentication configuration after initial setup, and it necessarily has a wide array of access implications.

With respect to T6755, specifically, it is potentially an SSRF vector. It's somewhat hard to imagine this being a meaningful component of a practical attack, but not wholly absurd.

Revisions and Commits

Restricted Differential RevisionRestricted Diffusion Commit
Restricted Differential RevisionRestricted Diffusion Commit
rP Phabricator
D20645rP7852adb84bbe Actually enforce auth.lock-config
D20447rP4e37184862d2 (stable) Don't warn about a locked database value after users run "bin/auth…
D20447rPc648077625e3 Don't warn about a locked database value after users run "bin/auth lock"
D20400rP0583f6dc50a8 Some formatting changes for showing auth provider config guidance
D20394rP0f9776fb58e2 Add a workflow and a new config option for locking authentication providers
D20038rPd8d4efe89e85 Require MFA to edit MFA providers

Related Objects
Search...

Event Timeline

epriestley created this task.Mar 26 2015, 5:13 PM
epriestley raised the priority of this task from to Low.
epriestley updated the task description. (Show Details)
epriestley added projects: Security, Auth.
epriestley added a subscriber: epriestley.
eadler added a subscriber: eadler.Apr 28 2015, 3:28 AM
epriestley mentioned this in T13138: Improve consistency of MFA requirements to invite/approve users.May 14 2018, 2:14 PM
epriestley mentioned this in T13190: Plans: User Accounts, Profiles, Registration and Imports.Aug 27 2018, 4:40 PM
epriestley mentioned this in T2549: Support linking multiple external accounts from the same provider with one Phabricator account.Dec 12 2018, 7:53 PM
epriestley moved this task from Backlog to Next on the Auth board.Dec 12 2018, 8:19 PM
Herald added subscribers: cburroughs, andypuettmann, revi. · View Herald TranscriptDec 12 2018, 8:19 PM
epriestley mentioned this in T4131: Store LDAP domain as credential source for LDAP external accounts.Dec 12 2018, 8:25 PM
epriestley mentioned this in T13222: 2018 Week 48-51 Bonus Content.Dec 12 2018, 8:37 PM
epriestley added a comment.Jan 25 2019, 6:31 PM

After T13222, this is more relevant:

  • Administrator accounts may disable all MFA from the web UI.
  • Auth guidance is a more compelling target for content injection than most injectable channels (e.g., the login screen can be made to say "go to evil.ru and type in ur password qt ;)", which seems authoritative-ish).
epriestley added a revision: D20038: Require MFA to edit MFA providers.Jan 25 2019, 6:45 PM
epriestley added a commit: rPd8d4efe89e85: Require MFA to edit MFA providers.Jan 28 2019, 5:44 PM
amckinley added a revision: D20394: Add a workflow and a new config option for locking authentication providers.Apr 10 2019, 10:35 PM
amckinley added a commit: rP0f9776fb58e2: Add a workflow and a new config option for locking authentication providers.Apr 10 2019, 11:15 PM
amckinley added a revision: D20400: Some formatting changes for showing auth provider config guidance.Apr 11 2019, 8:16 PM
amckinley added a commit: rP0583f6dc50a8: Some formatting changes for showing auth provider config guidance.Apr 17 2019, 6:08 PM
Herald added a subscriber: amckinley. · View Herald TranscriptApr 17 2019, 6:08 PM
epriestley added a comment.Apr 18 2019, 12:20 AM

hmmmmmm

Screen Shot 2019-04-17 at 5.20.33 PM.png (1×1 px, 356 KB)

epriestley added a revision: D20447: Don't warn about a locked database value after users run "bin/auth lock".Apr 18 2019, 12:24 AM
epriestley added a commit: rPc648077625e3: Don't warn about a locked database value after users run "bin/auth lock".Apr 18 2019, 2:54 AM
epriestley added a comment.Apr 18 2019, 2:02 PM

This could be made slightly cleaner with a setSummary() to set a shorter summary:

Screen Shot 2019-04-18 at 7.01.55 AM.png (251×916 px, 51 KB)

epriestley added a revision: Restricted Differential Revision.Apr 18 2019, 2:05 PM
epriestley added a commit: Restricted Diffusion Commit.Apr 18 2019, 8:08 PM
epriestley added a commit: Restricted Diffusion Commit.Apr 22 2019, 5:38 AM
epriestley added a commit: rP4e37184862d2: (stable) Don't warn about a locked database value after users run "bin/auth….Apr 22 2019, 2:00 PM
amckinley added a revision: D20645: Actually enforce auth.lock-config.Jul 10 2019, 3:05 PM
amckinley closed this task as Resolved by committing rP7852adb84bbe: Actually enforce auth.lock-config.Jul 15 2019, 6:53 PM
amckinley claimed this task.
amckinley added a commit: rP7852adb84bbe: Actually enforce auth.lock-config.
Phabricator · Built by Phacility