For troubleshooting I used the foreman-rake console with "User.current =
User.anonymous_admin".
This enables me to do several things to our foreman environment without
authenticating. How can I disable this for security purposes?
The anonymous admin is not the same user as the foreman admin it seems:
irb(main):002:0* User.current = User.anonymous_admin
=> #<User id: 1, login: "foreman_admin", firstname: "Anonymous",
lastname: "Admin", mail: nil, admin: true, last_login_on: nil,
auth_source_id: 2, created_at: "2016-09-28 08:09:17", updated_at:
"2016-09-28 08:09:17", password_hash: nil, password_salt: nil,
locale: nil, avatar_hash: nil, default_organization_id: nil,
default_location_id: nil, lower_login: "foreman_admin",
mail_enabled: true, timezone: nil>
Met vriendelijke groet, With kind regards,
Jorick Astrego
Netbulae Virtualization Experts
···
----------------
Tel: 053 20 30 270 info@netbulae.eu Staalsteden 4-3A KvK 08198180
Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede BTW NL821234584B01
You can't, and it'd be rather pointless as it's trivial to work around.
The console is a fully interactive Ruby script that you're executing, so
any in-process security measure can be bypassed easily.
Executing any foreman-rake command successfully indicates you already
have direct access to the database because the console process itself
connects to the DB. Probably via a Unix domain socket and optionally
with username/password stored in /etc/foreman/database.yml.
You should restrict access to the database and credentials to tighten
security, not try to restrict behaviour of this one script that accesses it.
···
On 06/10/16 11:33, Jorick Astrego wrote:
> For troubleshooting I used the foreman-rake console with "User.current =
> User.anonymous_admin".
>
> This enables me to do several things to our foreman environment without
> authenticating. How can I disable this for security purposes?
–
Dominic Cleal
dominic@cleal.org
Thanks for the info!
My knowledge of ruby is not so great, so I hadn't realized it was
talking to the db.
I'll have to dive more into it 
Met vriendelijke groet, With kind regards,
Jorick Astrego
Netbulae Virtualization Experts
···
On 10/06/2016 12:43 PM, Dominic Cleal wrote:
> On 06/10/16 11:33, Jorick Astrego wrote:
>> For troubleshooting I used the foreman-rake console with "User.current =
>> User.anonymous_admin".
>>
>> This enables me to do several things to our foreman environment without
>> authenticating. How can I disable this for security purposes?
> You can't, and it'd be rather pointless as it's trivial to work around.
> The console is a fully interactive Ruby script that you're executing, so
> any in-process security measure can be bypassed easily.
>
> Executing any foreman-rake command successfully indicates you already
> have direct access to the database because the console process itself
> connects to the DB. Probably via a Unix domain socket and optionally
> with username/password stored in /etc/foreman/database.yml.
>
> You should restrict access to the database and credentials to tighten
> security, not try to restrict behaviour of this one script that accesses it.
>
----------------
Tel: 053 20 30 270 info@netbulae.eu Staalsteden 4-3A KvK 08198180
Fax: 053 20 30 271 www.netbulae.eu 7547 TA Enschede BTW NL821234584B01
