Secure setup of system users by default

Description

To prevent unintended security holes by not setting username or password for created system users while deploying a module should fail at startup when username or password configuration is missing. For GDPR security by default is required.

So every module should set up:

system user name on a configuration variable. A default fallback value might be set.
system user password on a configuration variable. NO default fallback value should be set.

e.g.

Environment

None

Potential Workaround

None

Linked issues

defines

SECURITY-9

Secure setup of system users by default

relates to

MODPUBSUB-280

Release mod-pubsub 2.11.1

Checklist

hide

TestRail: Results

Activity

Show:

Oleksii Petrenko November 2, 2023 at 2:59 PM

Deployed to Poppy BF. Please proceed with verification.

Oleksandr Vidinieiev October 31, 2023 at 12:56 PM

Snapshot reference build went fine. Deployment of these changes initially broke mod-pubsub's deployment to Vega's Rancher, but manually adding missing environment variables fixed the issue.

Done

Details
Assignee
Oleksandr Vidinieiev
Reporter
Axel Dörrer
Labels
back-endsecuritysecurity-reviewed
Priority
P2
Story Points
1
Sprint
None
Development Team
Vega
Fix versions
2.11.1
2.13.0
Release
Poppy (R2 2023) Bug Fix
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs

Created October 12, 2023 at 12:19 PM

Updated March 20, 2024 at 4:25 PM

Resolved October 31, 2023 at 12:48 PM

Configure

TestRail: Cases

TestRail: Runs