Project

General

Profile

Actions

Bug #93160

closed

Add option to disable Install Tool Sudo Mode for development

Added by Bastian Stargazer about 3 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Install Tool
Target version:
Start date:
2020-12-22
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
10
PHP Version:
7.4
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Since I've updated from v10.4.9 to v10.4.11, the backend is asking everytime for the admin-user password while clicking on Maintanance, Settings, etc... The lifetime for this authentication seems to be very short (less than 5-10 min. or so)

This seems to be a new security-feature, but I'd suggest to disable this feature in developing context. Because during development its super annoying as I've always to type in the PW to flush the cache ("Flush all caches" from the top-menu doesn't clear all caches, at least not for YAML files/services/DI/etc...)

Sum up:
- Variant 1: Disable this feature in development-context (preferred, no new setting option needed)
- Variant 2: Add setting to disable this feature, or add configuration to extend the authentication lifetime


Related issues 3 (1 open2 closed)

Related to TYPO3 Core - Task #92836: Introduce Sudo Mode for Install ToolUnder ReviewOliver Hader2020-11-13

Actions
Related to TYPO3 Core - Bug #93639: Having to enter account information periodically - makes workin with extension scanner more difficultClosed2021-03-03

Actions
Related to TYPO3 Core - Task #94246: Reorganize sudo mode handlingResolved2020-11-16

Actions
Actions #1

Updated by Georg Ringer about 3 years ago

  • Status changed from New to Rejected

Thanks for creating this issue! While we understand that this makes it a bit harder during development we still won't make it configurable because this will lead to sites in production having it disabled as well. Therefore this is neither configurable nor completely deactivated.

As solution you can either:
  • open the install tool as standalone
  • use cli to clear the caches
Actions #2

Updated by Mathias Brodala about 3 years ago

  • Related to Task #92836: Introduce Sudo Mode for Install Tool added
Actions #3

Updated by Mathias Brodala about 3 years ago

  • Subject changed from Access to Admin-Tools in BE requires a password all the time to Add option to disable Install Tool Sudo Mode for development
Actions #4

Updated by Altan Tosun about 3 years ago

Georg Ringer wrote in #note-1:

Thanks for creating this issue! While we understand that this makes it a bit harder during development we still won't make it configurable because this will lead to sites in production having it disabled as well. Therefore this is neither configurable nor completely deactivated.

As solution you can either:
  • open the install tool as standalone
  • use cli to clear the caches

You should also consider the case when passwords are not used anymore. As an example we are using Single Sign-on providers and trying hard to get rid of all passwords. As we all know passwords are one of the main security issues in authentication processes.

Currently there is no SSO for the Install Tool – therefore we can't use the Backend Install Tool feature anymore. I can understand your point for production reasons where this feature should be deactivated anyway – but for development purposes it is really giving us a hard time now.

1) We should either make it configuration for development context (this is an admin setting and an admin should always know what he is doing)
2) SSO or LoginProvider should also work for the Install Tool.

Second, according to the TYPO3 documentation integrators should use this feature as well: https://docs.typo3.org/m/typo3/reference-coreapi/master/en-us/Security/GuidelinesIntegrators/InstallTool.html

We don't give integrators nor any developers any known passwords anymore because we are using SSO (the Install Tool password are generated randomly – fire and forget).
We are now forced to deal with passwords again, which makes the process more insecure (again).

Actions #5

Updated by Bastian Stargazer about 3 years ago

I understand your concerns and totally agree in terms of security point of view.
But if this feature is bound to the context (means, it is or can be disabled in development-context), in my opinion there will be no security issue, as the development-context should only be used on local dev systems. An online system which runs in development-context is lost anyway.

  • use cli to clear the caches

True, but not so convenient with typing all the time. Also the same issue applies for the database-migration/comparison during development...

Actions #6

Updated by Timo Poppinga about 3 years ago

I can totally agree with Bastian, if this feature is bound to the development context i cannot see the security concern anymore

Actions #7

Updated by Gerrit Code Review about 3 years ago

  • Status changed from Rejected to Under Review

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/68094

Actions #8

Updated by Gerrit Code Review about 3 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/68094

Actions #9

Updated by Gerrit Code Review about 3 years ago

Patch set 1 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/68112

Actions #10

Updated by Oliver Bartsch about 3 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #11

Updated by Gerrit Code Review about 3 years ago

  • Status changed from Resolved to Under Review

Patch set 2 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/68112

Actions #12

Updated by Gerrit Code Review about 3 years ago

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/68097

Actions #13

Updated by Oliver Bartsch about 3 years ago

  • Status changed from Under Review to Resolved
Actions #14

Updated by Sybille Peters about 3 years ago

  • Related to Bug #93639: Having to enter account information periodically - makes workin with extension scanner more difficult added
Actions #15

Updated by Benni Mack almost 3 years ago

  • Status changed from Resolved to Closed
Actions #16

Updated by Christian Kuhn 7 months ago

  • Related to Task #94246: Reorganize sudo mode handling added
Actions

Also available in: Atom PDF