Security Disaster

[S_M]

Hello,

I am not sure i can explain how frustrated i am at what just happened.

I tried to define permissions for different users over the repository, so they can access (generally said) different items according to their permissions.

The logic i followed, which seemed reasonable at the time was, to add specific users, grant them permissions i wanted, then remove the permissions from ALL USERS so they don't have access to everything.

The moment i clicked "apply" everything went into a complete blockout.

I could access nothing, no matter i was logged in with the administrator user, the one that created the repositories.

I couldn't even see the repositories. I was making those changes only for a specific repository, but now all repositories i have disappeared.

The GUI is not responding to anything, whenever i try to access a workspace or repository i get an error message that i don't have permissions.

This is a TOTAL DISASTER for me and UNACCEPTABLE for such a type of software, wich is otherwise very nice.

I would be very glad if i could recieve some help, cause at the moment i don't even know how or if it is possible to fix this.

Thanks in advance.

[manu]

Hello S_M,

can you please tell me which database backend are you using?

[S_M]

Hello Manu,

MS SQL

[manu]

The CE or the regular one?

[S_M]

The regular one. 2012.

[manu]

Perfect,

1) Open the SQL Management tool.

2) Open the "repositories" database.

3) Open the "AclEntry" table.

4) The first row should be as follows:

iaclentry	fidacl	fidseid	igranted	  idenied
0			   0       0		 368869375   0

[S_M]

Hm the first row in my dbo.aclentry is:

iaclentryid fidacl fidseid igranted idenied

14 0 0 0 536641535

Does this look ok?

[manu]

Not at all.

Do you want to schedule a fast gotomeeting chat in order to get it fixed?

[S_M]

I am at a place where i can not chat (by voice) atm. Can only type.

[manu]

No problem, we can use a regular chat, please join my meeting:

https://www2.gotomeeting.com/join/811701274

[S_M]

Ok, setting up gotomeeting.

[S_M]

Thank you for the great help!

[manu]

You are welcome!

[sbrassard]

Manu,

Would it be possible to explain to the rest of the forum what happened here? This would be a good place to document it if others experience something similar. Was it a bug in plastic?

Regards

[S_M]

I don't think it's a bug in Plastic. I wouldn't call it a bug. It is more of a feature, that is quite unintuitive, something very unusual for this very nice piece of software, that could lead to a potential serious problem, as it happened in my case.

I recieved help with it and everything was fixed fast, thanks to Manu. I think the guys at Codice have aknowledged this potential problem and are working to improve it very soon.

[manu]

What happened is that the repository server ACL was almost cleared of permissions. All the repositories are inheriting from the repository server by default so there was no access to none of S_M repositories.

Actually is quite easy to end up with this situation, right click in a repository -> Repository server permissions -> Select "ALL_USERS" and click in "Remove & Apply" -> Doomsday

We restored the default ACL accessing to the database and everything was restored after a server restart.