User with stream edit permission able to get all log messages

(Juey90) #1


while playing around with stream permissions, i found out that it is possible for a user with editing permission (e.g. “permissions”: [ “streams:edit:xxxxxxxxxxxxxxxxxxxxxxxxxxx” ]) on a particular stream to create either the “always match” rule or build a tautology using “field exists” in kombination with OR (field “source” exists OR field “source” not exists), using a catch-all regex rule, etc. Isn´t this undermining the security concept to allow non-admin user to see every log message ? I would welcome at least a hint or information in the doc for users planing a security concept in graylog.

Versions used: graylog 2.3.1, elasticsearch 5.5.2, Oracle jre 1.8.0_144, mongodb 3.4.7, all on Ubuntu 16.04 LTS.

(Jochen) #2

If you’re allowing a user to edit a stream (which means editing stream rules), what do you expect to happen?

In other words: No, that’s not undermining the security concept of Graylog. Just don’t give your users permissions to edit stuff they shouldn’t edit.

(system) closed #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.