User with stream edit permission able to get all log messages


while playing around with stream permissions, i found out that it is possible for a user with editing permission (e.g. “permissions”: [ “streams:edit:xxxxxxxxxxxxxxxxxxxxxxxxxxx” ]) on a particular stream to create either the “always match” rule or build a tautology using “field exists” in kombination with OR (field “source” exists OR field “source” not exists), using a catch-all regex rule, etc. Isn´t this undermining the security concept to allow non-admin user to see every log message ? I would welcome at least a hint or information in the doc for users planing a security concept in graylog.

Versions used: graylog 2.3.1, elasticsearch 5.5.2, Oracle jre 1.8.0_144, mongodb 3.4.7, all on Ubuntu 16.04 LTS.

If you’re allowing a user to edit a stream (which means editing stream rules), what do you expect to happen?

In other words: No, that’s not undermining the security concept of Graylog. Just don’t give your users permissions to edit stuff they shouldn’t edit.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.