Bug #93160
closed
Add option to disable Install Tool Sudo Mode for development
100%
Description
Since I've updated from v10.4.9 to v10.4.11, the backend is asking everytime for the admin-user password while clicking on Maintanance, Settings, etc... The lifetime for this authentication seems to be very short (less than 5-10 min. or so)
This seems to be a new security-feature, but I'd suggest to disable this feature in developing context. Because during development its super annoying as I've always to type in the PW to flush the cache ("Flush all caches" from the top-menu doesn't clear all caches, at least not for YAML files/services/DI/etc...)
Sum up:
- Variant 1: Disable this feature in development-context (preferred, no new setting option needed)
- Variant 2: Add setting to disable this feature, or add configuration to extend the authentication lifetime
Updated by Georg Ringer over 3 years ago
- Status changed from New to Rejected
Thanks for creating this issue! While we understand that this makes it a bit harder during development we still won't make it configurable because this will lead to sites in production having it disabled as well. Therefore this is neither configurable nor completely deactivated.
As solution you can either:- open the install tool as standalone
- use cli to clear the caches
Updated by Mathias Brodala over 3 years ago
- Related to Task #92836: Introduce Sudo Mode for Install Tool added
Updated by Mathias Brodala over 3 years ago
- Subject changed from Access to Admin-Tools in BE requires a password all the time to Add option to disable Install Tool Sudo Mode for development
Updated by Altan Tosun about 3 years ago
Georg Ringer wrote in #note-1:
Thanks for creating this issue! While we understand that this makes it a bit harder during development we still won't make it configurable because this will lead to sites in production having it disabled as well. Therefore this is neither configurable nor completely deactivated.
As solution you can either:
- open the install tool as standalone
- use cli to clear the caches
You should also consider the case when passwords are not used anymore. As an example we are using Single Sign-on providers and trying hard to get rid of all passwords. As we all know passwords are one of the main security issues in authentication processes.
Currently there is no SSO for the Install Tool – therefore we can't use the Backend Install Tool feature anymore. I can understand your point for production reasons where this feature should be deactivated anyway – but for development purposes it is really giving us a hard time now.
1) We should either make it configuration for development context (this is an admin setting and an admin should always know what he is doing)
2) SSO or LoginProvider should also work for the Install Tool.
Second, according to the TYPO3 documentation integrators should use this feature as well: https://docs.typo3.org/m/typo3/reference-coreapi/master/en-us/Security/GuidelinesIntegrators/InstallTool.html
We don't give integrators nor any developers any known passwords anymore because we are using SSO (the Install Tool password are generated randomly – fire and forget).
We are now forced to deal with passwords again, which makes the process more insecure (again).
Updated by Bastian Stargazer about 3 years ago
I understand your concerns and totally agree in terms of security point of view.
But if this feature is bound to the context (means, it is or can be disabled in development-context), in my opinion there will be no security issue, as the development-context should only be used on local dev systems. An online system which runs in development-context is lost anyway.
- use cli to clear the caches
True, but not so convenient with typing all the time. Also the same issue applies for the database-migration/comparison during development...
Updated by Timo Poppinga about 3 years ago
I can totally agree with Bastian, if this feature is bound to the development context i cannot see the security concern anymore
Updated by Gerrit Code Review about 3 years ago
- Status changed from Rejected to Under Review
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/68094
Updated by Gerrit Code Review about 3 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/68094
Updated by Gerrit Code Review about 3 years ago
Patch set 1 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/68112
Updated by Oliver Bartsch about 3 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 5b2153270ec5092aae98a702f0b59223f99a4144.
Updated by Gerrit Code Review about 3 years ago
- Status changed from Resolved to Under Review
Patch set 2 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/68112
Updated by Gerrit Code Review about 3 years ago
Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/68097
Updated by Oliver Bartsch about 3 years ago
- Status changed from Under Review to Resolved
Applied in changeset 3668220facc2e8a8633f736c9b76f90a2c12482b.
Updated by Sybille Peters about 3 years ago
- Related to Bug #93639: Having to enter account information periodically - makes workin with extension scanner more difficult added
Updated by Benni Mack almost 3 years ago
- Status changed from Resolved to Closed
Updated by Christian Kuhn 9 months ago
- Related to Task #94246: Reorganize sudo mode handling added