ACL for eJadSPM , It's a big Joke , The automatic installer compromise the server security - Installation and "How Do I" Questions - MachSol

Welcome Guest

Search | Active Topics | Log In | Register

MachSol - Community Forums » eJadSPM Core System Discussions » Installation and "How Do I" Questions » ACL for eJadSPM , It's a big Joke , The automatic installer compromise the server security

ACL for eJadSPM , It's a big Joke , The automatic installer compromise the server security

Options · View

Previous Topic · Next Topic

onemancrew

#1 Posted : Monday, February 18, 2008 8:00:16 AM

Rank: eJadSPM Learner

Groups: Member

Joined: 2/18/2008
Posts: 5
Points: 15

Today I have installed eJadSPM.
I see that the installer has created a new user: "eJadSPM_Web"
I also see that this user is member of group called "Administrators"

Developers , are you insane ?
Which programmer configuring such ACL ? we are talking about web application which has access from ANY !!!

Now let's move to the User of the Application Pool which eJadSPM is running under it.
The automatic installer has configured it to run as "local system".
Again , security compromised !!!
why not to use the same user "eJadSPM_Web" ?

The developers need to take the web application back to the sketch desk.

Report Abusive | Report SPAM | Edit by user: Monday, February 18, 2008 8:19 AM | Reason: Not specified

aziz

#2 Posted : Monday, February 18, 2008 11:36:52 PM

Rank: Management

Groups: Administration , Member

Joined: 11/11/2007
Posts: 59
Points: 246
Location: Dubai

"eJadSPM_Web" user MUST be a Administrators group member because eJadSPM is not just an ordinary web application. It is the control system to manage and run all aspects of your business and for that it requires administrative access to your network and servers. For example, when you configure Network Monitoring the application control panel should be running under Administrative right otherwise it cannot monitor remote servers and ports. Another example is Servers Management, the application cannot show you disk usage graphs, running processes, event logs, etc unless proper permissions are set.

eJadSPM's security model is well thought and well designed. The way installer configures application is intentional and a REQUIREMENT for its operations.

I hope this help you understand Think

Aziz Paracha
Vice President/CTO
eJadSPM System -- SaaS Enabled Hosted Service Delivery Platform
www.machsol.com
We offer world's only affordable consolidated platform for SaaS providers. Is there a company that beats our pricing? let me know!

WWW	Report Abusive \| Report SPAM

Users browsing this topic

Guest

Forum Jump

You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Watch this topic
Email this topic
Print this topic
RSS Feed

Normal
Threaded

YAFPro Theme Created by Jaben Cargman (Tiny Gecko)
Powered by YAF 1.9.3 beta | YAF © 2003-2008, Yet Another Forum.NET
This page was generated in 0.063 seconds.