Red Hat Bugzilla – Bug 489756
non-privileged users able to remove others from the CC list
Last modified: 2014-10-12 18:46:00 EDT
It was reported to me that a "regular" user could remove other users from the CC list of a bug without error. He did, by way of example, remove a kernel developer from a security-related kernel bug (then added him back once he realized what he did, of course). A "regular" user shouldn't be able to do this (they should only be able to remove their own email address from the CC list).
There is an upstream bug about this:
Upstream doesn't think this is a bug. Their rationale is that if a user is able to add any address to the CC, they should be able to remove any address as well.
An overly complicated "fix" would be to map who adds what CC to the list and allow a user to remove only CC's they have added. An easier fix would be to allow users to add a CC, but not allow them to remove anyone from the CC list other than their own address (and leave it to others to remove themselves from the CC list).
I don't know if we use a finer-grained ACL than upstream does, so I'm not sure if anyone and everyone is in the editbugs group; if not, we could restrict this kind of change to users in the editbugs group.
Regardless, I think the ability for anyone to arbitrarily remove others from the CC list is wrong; there should be some special privileges required to do this or, at the very least, a restriction on a user to only remove their own address from the CC list.
I don't really think this is a big issue really, and I agree with upstream that people who are able to add others to the cc list should be able to remove them as well. only people who have access to the bugs can do that as bugs can either be public or it can be associated with private groups so only people in those groups can do changes to the bugs including cclist changes. i am not sure about that security related bug you are talking about, as regular users don't have access to security bugs, please give us an example of a bug number that was accessed and changed by an unauthorized user. also another thing is that if any user gets removed from the cclist then they get notified by email that they have been removed.
No, it wasn't a private security bug, it was a public one. Obviously group restrictions would prevent someone from changing the cclist of a private bug; that's not what I'm talking about.
Also, I didn't mean to imply that *this* is a security bug. I just think it's wrong behaviour that if I add myself to the cclist of a public bug, any average joe can remove me. Sure, I'd get an email about it, and can add myself back, but I don't think that should be something that just anyone should be able to do.
Well it's not just deleting people off the list but I can add joe random as well.
Assuming this behaves as described (and I haven't tested it) how often do people have a genuine reason to remove other people from bugs? How often do people accidentally/deliberately remove other people when they shouldn't?
Could the cure cause more hassle than the problem?
The thing that causes me most trouble in this area is when someone takes a bug assigned to me and reassigns it to someone else without adding me to the cc - I'd like an option to say 'always add me to the cc if someone else takes ownership of a bug away from me'.
Red Hat Bugzilla is now using version 3.4 of the Bugzilla codebase and
therefore this feature will need to be implemented against the new release.
Updating bug version to 3.2.
Red Hat has now upgraded to Bugzilla 3.6 and this bug will now be reassigned to that version. It would be helpful to the Bugzilla Development Team if this bug is verified to still be an issue with the latest version. If it is no longer an issue, then feel free to close, otherwise please comment that it is still a problem and we will try to address the issue as soon as we can.
Bugzilla Development Team
Still works, I went to Bug 489755 and deleted firstname.lastname@example.org from it and then re-added him. You can go to any bug and add/remove anyone from the CC list.
This was fixed upstream as part of the Bugzilla 4.2 release.
email@example.com 2012-06-20 01:14:28 EDT CC firstname.lastname@example.org email@example.com
firstname.lastname@example.org 2012-06-20 01:14:50 EDT CC email@example.com
And we're still vulnerable, I was able to do this from my personal account (picked a random open bug, removed/added tkramer back in.
For reference it was https://bugzilla.redhat.com/show_activity.cgi?id=799187
This behaves correctly for me: using a non-privileged account, I only have the option to remove myself, not other people.
Does fedora_contrib which you have on that test account provide additional permissions?
Ah, interesting, I have confirmed that this does indeed behave properly, I created another account, it is unable to remove users. So yes, my firstname.lastname@example.org appears to have some additional privileges (likely due to the Fedora stuff). Thanks!