disabling manage databases functionality

Hello Marcos,

I do not agree with you, we could not put a manage databases functionality in the login screen because if we have put this under login screen then user may be try to drop same database with log in. So this will creates a error.

As well as you said that "it cannot be tampered with". Currently also another user can not tempare this because he/she doens't know about the super admin password. So I think it's correct place and we can't consider it as a bug.

Thank you!

This is not what I said at all.

"we could not put a manage databases functionality in the login screen because if we have put this under login screen then user may be try to drop same database with log in."

This should be in removed from the login screen and be available to the admin AFTER he logs in. e.g. In some module such as settings or something else. Right now you provide that mechanism WITHOUT having to log in, and it only requires one password, rather than a username and password, which makes it less secure.

The problem is that once the system is setup, there should be a way to disable (e.g. an option) that so that it cannot be accessed by anyone other than the administrator after login. Or some configuration option to just disable it altogether and then the admin can re-enable it if needed at a later time - editing a conf file, restarting openerp, etc.

Hello Marcos,

I got you exactly bug some problem on my comment.

It's like this "IF we have put manage databases functionality available to the admin AFTER he logs in then there may be possibility he try to drop same database on he logs then problem will be generated " how we can manage it..??

Thanks and waiting for your reply!

Great, then perhaps the better alternative is to have an option maybe in the openerp-server.conf which enables/disables the manage databases. If disabled it should hide the link on the web and disable (eg access denied error) on the backend controller that allows create, drop, etc - so that those methods can't be executed directly.

With this option we address both concerns.

On Jun 18, 2012, at 8:00, "Amit Parik \(OpenERP\)" <email address hidden> wrote:

> Hello Marcos,
>
> I got you exactly bug some problem on my comment.
>
> It's like this "IF we have put manage databases functionality available
> to the admin AFTER he logs in then there may be possibility he try to
> drop same database on he logs then problem will be generated " how we
> can manage it..??
>
> Thanks and waiting for your reply!
>
> ** Changed in: openobject-server
> Status: New => Incomplete
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1013236
>
> Title:
> disabling manage databases functionality
>
> Status in OpenERP Server:
> Incomplete
>
> Bug description:
> There should be a way to disable the manage databases functionality in
> the login screen, not just removing the link by editing base.xml, but
> the disabling underlying code (controllers, views, etc), so that it
> cannot be tampered with.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/openobject-server/+bug/1013236/+subscriptions

Hello Marcos,

openerp-server.conf is a better option for hiding, So this a good feature If we will implement this. That's why I am considering this as a wishlist.

Thank you!

Can you also give me a hand with this bug please? I don't think this is a duplicate.

https://bugs.launchpad.net/bugs/1013223

On Jun 18, 2012, at 8:40 AM, Amit Parik (OpenERP) wrote:

> Hello Marcos,
>
> openerp-server.conf is a better option for hiding, So this a good
> feature If we will implement this. That's why I am considering this as a
> wishlist.
>
> Thank you!
>
> ** Changed in: openobject-server
> Importance: Undecided => Wishlist
>
> ** Changed in: openobject-server
> Status: Incomplete => Confirmed
>
> ** Changed in: openobject-server
> Assignee: (unassigned) => OpenERP's Framework R&D (openerp-dev-framework)
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1013236
>
> Title:
> disabling manage databases functionality
>
> Status in OpenERP Server:
> Confirmed
>
> Bug description:
> There should be a way to disable the manage databases functionality in
> the login screen, not just removing the link by editing base.xml, but
> the disabling underlying code (controllers, views, etc), so that it
> cannot be tampered with.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/openobject-server/+bug/1013236/+subscriptions

Hello Marcos,

Yes, your issue lp:1013223 not really duplicate of lp:949907 but it's duplicate of lp:992525. I am going to correct it.

Thanks for revival!

Hello everyone.

I know that this topic is a well discussed issue and this isn't a bug but a requested feature.

BUT... the security lack is evident.

If I try to create a DB with a wrong password, i got the "Client Traceback" that gives me some potentially reserved informations about the system. Overall, just with the login page, I could obtain the following informations:

– OS;
   > and eventually the distro;
– OpenERP version;
– method of installation (by folders' path and name);
– number and names of the existing database (e.g. info about company's projects or divisions)

Why this informations should be public by default ?!?!

If the sysadmin installed the OpenERP in "official" way and path, no much informations are available.
BUT IF the sysadmin put the OpenERP files in customized paths, some relevant informations could be revealed.

Not to mention to the fact that googling something like:
>> openerp "Manage Databases" Username "log in" "Powered by" <<
we have a big list (about 3000) of OpenERP installation over the internet. If I know a vulnerability I could going to looking for an affected installation (having that particular vulnerability).

It is evident the priority to implement the possibility to easily customize the login screen access.
Here, some possible solutions:

– option to easily rename the text in the login screen (just to divert public bots);
– option to easily remove the "managge db" function (not just the link or the "db list");
– option to protect the login screen with a further authentication (even just a simple http-authentication).
– option to restrict the access to the "manage db" function, filtering by the IP address of the client (e.g. localhost; single ip; range of ip; no filter).

I'm new to OpenERP but... are we sure that the "Client Traceback" functionality could not be used to retrieve other sensible informations?

Mine did not want to be absolutely critical to the excellent work that OpenERP coders did, but rather an open stimulus for reflection on a security issue.

Thank you all!

Absolutely agree with Walter and Marcos: there should be a way for an administrator to disable the functionality altogether (and not just hide it).

OpenERP is so secure that it even stores passwords in the database in clear text by default. And anyone who has access to the login screen can easily list all databases that are on the server without having to even log in. And the default login is admin/admin. Serious thoughts on security have somehow completely blown past the OpenERP development todo list. (I'm being nice here).

Any links or good advices to better security with Odoo/OpenERP?

+1 for

/etc/odoo/odoo.conf
dbmanager = False

Should remove the manage db link.
Should also give a 404 error for the create db page
"Create a new database by filling out the form"