Posts Tagged 'sudo'

Sudo for Scripts in Alfresco

sudoToday I ran into the pitfall of Alfresco scripts and permissions again. For all kind of reasons I cannot rewrite code, but run into trouble because a user having a particular role executes a script that modifies permissions. This of course fails if this user has less permissions on a given space or document than expected. The user/group will have more permissions (that make no sense) than needed, and only a little tiny change in the security settings can screw-up the transaction the script is part of. The best approach is of course to get rid of the script approach at all (related to permissions), and implement a decent class running as System. But I cannot.

I remember having seen the sudoUtils in the past, and the improved version after that, created by Fabio Strozzi. This is nice, but not exactly matching my use case/requirements. I have no clue who executes this function. An unknown, in time growing set of groups can execute, but only if it is defined in a particular script. The script limits the access, not the user or group. It would make sense to allow execution of a particular named script (or better, a set of predefined scripts). My idea is that I can define a set of scripts that can be executed as System user. However, to make sure we meet security, these named scripts (in alfresco-global.properties) need to be loaded from classpath, not from repository.

Lets face it, if someone has access to the file system, anything is possible… Continue reading ‘Sudo for Scripts in Alfresco’

Advertisements