[p4] Setting P4USER to a user with admin rights
Nick Barnes
Nick.Barnes at pobox.com
Thu Jan 11 02:05:54 PST 2001
At 2001-01-11 02:57:01+0000, Sheryl McKeown writes:
> Is this a known error or bug?
>
> As a regular user I do not have admin privledges to
> the p4 depot. However, if I set P4USER to a user who
> has admin priv I assume that user's privledges. This
> includes modifing p4 protect and other super user
> settings.
>
> This would seem a security hole. How do I prevent
> people from setting p4user to admin and then running
> amuck?
This is deliberate. The original purpose of Perforce users was to
provide information to the system (e.g. who made this change), not to
enforce security policies. After all, there are times when one really
does want to lie to the system (e.g. due to staff absence, one might
need to submit a changelist belonging to another user). This used to
be explicitly stated in the manual.
Now (since 98.2?) there are Perforce passwords, introduced
specifically to close this security hole. See <URL:
http://www.perforce.com/perforce/doc.002/manuals/p4sag/01_install.html#1051380>
and <URL:
http://www.perforce.com/perforce/doc.002/manuals/p4guide/06_misc.html#1040558>
Nick B
--
FreeBSD 4.1-RELEASE: up 55 days, 19:04
last reboot Thu Nov 16 15:01 (new machine)
More information about the perforce-user
mailing list