Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.

Running root\admin level Adhoc scripts

Idea ID 1658398

Re: Running root\admin level Adhoc scripts

Anyone who can run a promoted script can also run an Adhoc scripts. Permissions don't separate promoted scripts from Adhoc… we need to restrict it so that people can't run Adhoc scripts as root or LocalAdmin. If they could still run Adhoc scripts as non-root or non-LocalAdmin that would be great, but if not then we need a way to totally disable Adhoc (while still allowing the "Select Script" option to run as super-user or not.)

This limitation of the tool is a HUGE issue for security and audit as it basically means anyone who has the ability to run an approved script, also has the ability to run Adhoc (with admin level permissions). With hundreds of users who need to run approved scripts, we need to not allow them to run root\localadmin scripts as well\have a way to allow some approved users to do this. As it is today, hundreds of users can log in and run an Adhoc root\localadmin (untested) script at will. Someone with malicious intent could cripple hundreds to thousdans of servers in a matter of seconds to minutes. ie. Select all Linux servers, run adhoc script as root: rm -rf *

Imagine the implications of this happening... Any day now our securities teams could reliaze this as the biggest current threat to the company and demand we remove this as a possibility.

5 Comments
Micro Focus Expert
Micro Focus Expert
Status changed to: Waiting for Votes

The idea has received an initial review to ensure adherence to our idea submission and community guidelines. More information may be needed at this stage and we expect the community to help prioritize the idea with comments and community support (votes/kudos).

Micro Focus Expert
Micro Focus Expert

I setup my SA 10.23 environment such that a user only has these two permissions.  This permission model has been like this since SA 5.x (I checked the functional spec)

  1. Name: Run Adhoc Scripts   Description:  Enter and run ad hoc scripts as a non-super user  Permission:  YES
  2. Name: Managed Servers and Groups  Description: View and manage servers and device groups  Permissions: YES

 

runadhocscripts.PNG

 

With only this permissions set a user can

  • Only execute scripts previously defined.  (Saved scripts)
  • Those scripts may elevate permissions to run as the root user.  As defined by the script creator setting 'Run as super user (YES)" radio button.
  • They may create ad hoc scripts but only executed as a user they specify. 

     

run-adhoc-greyed-out.PNG

You'll note the ability to run as root is grayed out and not enabled.

non-root-user.PNG

You are mistaken.  If this is happening in your environment you have a configuration issue one that I would address very quickly if this is allowable.

Where it's confusing is what the permission "Run Ad hoc Scripts" gives you.
It also gives you the ability to run "SAVED SCRIPTS" which is not evidence from its description in the GUI

Run as SuperUser script attributes vs Run Script as

As the script creator you are able to specify that a saved script can be elevated as root at runtime by the operator using it.  You use the following radio button:

run-as-superuser.PNG

This means the low level operator that only has "ad hoc script execution as non-super user" privilege can now execute a saved script as root if they wish to.
This radio button that was previously greyed our for executiong of "ad hoc" scripts will grant this ability.

able-to-run-as-root.PNG

Brett 

 

 

Trusted Contributor.. troytillmann77 Trusted Contributor..
Trusted Contributor..

Thanks Brett! This does give us what we need and the descripts are miss leading...

These settings allow to run Ad-hoc and saved scripts as non-super users (non-super user account must exist on the server with a password). Saved scripts can be set to run as super-user or not by the creator of the script. These setting should be used to disable users from running Ad-hoc scripts as root but still allow running of saved scripts (super user or not)!

Run Ad hoc & Saved Server Scripts As Super User
Enter and run ad hoc and saved scripts as super user
No

Run Ad hoc Scripts
Enter and run ad hoc scripts as a non-super user
Yes

Micro Focus Expert
Micro Focus Expert
Status changed to: Already Offered

I'll set the status of this idea as already offered. We'll open a change request to provide a better description for the action permission.

Cosmin

Trusted Contributor.. troytillmann77 Trusted Contributor..
Trusted Contributor..

Thank you.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.