Openbravo Issue Tracking System - Openbravo ERP |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0004078 | Openbravo ERP | A. Platform | public | 2008-06-19 16:47 | 2008-08-21 19:29 |
|
| Reporter | plujan | |
| Assigned To | cromero | |
| Priority | normal | Severity | major | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | |
| Platform | | OS | 10 | OS Version | XPsp2 |
| Product Version | 2.40alpha-r3 | |
| Target Version | | Fixed in Version | pi | |
| Merge Request Status | |
| Review Assigned To | |
| OBNetwork customer | No |
| Web browser | |
| Modules | Core |
| Support ticket | |
| Regression level | |
| Regression date | |
| Regression introduced in release | |
| Regression introduced by commit | |
| Triggers an Emergency Pack | No |
|
| Summary | 0004078: Database user on PostgreSQL should not have SuperUser privileges |
| Description | Database user on PostgreSQL should not have SuperUser privileges
This is a security vulnerability because if hackers manage to get access to this user, they will gain control of the full database.
This is a particularly serious concern for those customers who deploy Openbravo in an PostgreSQL database that houses other applications as well. |
| Steps To Reproduce | Connect to PostgreSQL and verify privileges. |
| Proposed Solution | |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | | related to | defect | 0000124 | 2.40 | closed | alostale | Openbravo database schame has dba privileges |
|
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2008-06-19 16:47 | plujan | New Issue | |
| 2008-06-19 16:47 | plujan | Assigned To | => cromero |
| 2008-06-19 16:47 | plujan | sf_bug_id | 0 => 1997918 |
| 2008-06-19 16:47 | plujan | OBNetwork customer | => No |
| 2008-06-19 16:58 | cromero | Relationship added | related to 0000124 |
| 2008-06-19 17:01 | cromero | Assigned To | cromero => marvintm |
| 2008-06-19 17:01 | cromero | Status | new => scheduled |
| 2008-06-20 11:15 | cromero | Assigned To | marvintm => cromero |
| 2008-06-20 11:46 | svnbot | Checkin | |
| 2008-06-20 11:46 | svnbot | Note Added: 0007903 | |
| 2008-06-20 11:46 | svnbot | Status | scheduled => resolved |
| 2008-06-20 11:46 | svnbot | Resolution | open => fixed |
| 2008-06-20 11:46 | svnbot | svn_revision | => 5240 |
| 2008-06-20 12:45 | svnbot | Checkin | |
| 2008-06-20 12:45 | svnbot | Note Added: 0007909 | |
| 2008-06-20 12:45 | svnbot | svn_revision | 5240 => 5245 |
| 2008-06-20 12:56 | cromero | Note Added: 0007910 | |
| 2008-08-21 19:29 | psarobe | Regression testing | => No |
| 2008-08-21 19:29 | psarobe | Status | resolved => closed |
| 2008-08-21 19:29 | psarobe | Fixed in Version | => trunk |
|
Notes |
|
|
(0007903)
|
|
svnbot
|
|
2008-06-20 11:46
|
|
Repository: openbravo
Revision: 5240
Author: cromeroherrero
Date: 2008-06-20 11:46:42 +0200 (Fri, 20 Jun 2008)
Fixed bug 4078: Database user on PostgreSQL should not have SuperUser privileges
Now User is created without SuperUser priviledges.
---
U trunk/src-db/database/build.xml
---
https://dev.openbravo.com/websvn/openbravo/?rev=5240&sc=1 [^]
|
|
|
|
(0007909)
|
|
svnbot
|
|
2008-06-20 12:45
|
|
Repository: openbravo
Revision: 5245
Author: cromeroherrero
Date: 2008-06-20 12:45:02 +0200 (Fri, 20 Jun 2008)
Fixed bug 4078: Database user on PostgreSQL should not have SuperUser privileges
* Reverted modification since SuperUser priviledges are needed to disable constraints (used in delete_client process).
---
U trunk/src-db/database/build.xml
---
https://dev.openbravo.com/websvn/openbravo/?rev=5245&sc=1 [^]
|
|
|
|
|
A new feature request has been added in order to solve this bug:
https://issues.openbravo.com/view.php?id=4099 [^]
While Delete_Client needs SuperUser privileges to disable/enable constraints, the role needs to be created with that privileges. |
|