[CONFSERVER-32541] Confluence Administrator Can Add Himself to System Administrator Group

Type: Bug
Resolution: Not a bug
Priority: Medium
Fix Version/s: None
Affects Version/s: 4.3.6
Component/s: None
Labels:
- administrator
- affects-server
- confluence
- group
- security
- system
Environment:

Confluence is running via Tomcat 6.0.32 on Windows Server 2008-64 bit. JDK: 1.7.0_07.

Bug Fix Policy:
View Atlassian Server bug fix policy

I have found what I believe to be a security bug in Confluence that should be fixed.

We have System Administrator function from the Confluence Administrator Group, and created a new Group called System Administrators (see attachment). The purpose was to give our Tech Writers the ability to access the Admin screen without giving them the ability to install add-ons. They belong to the Confluence-Administrators group, but not to the System-Administrators group.

However, I have found out that they have the ability to add themselves to the System-Administrators group. This allows them to increase their own authority and install add-ons.

They should not be able to add themselves to a group that has higher authority than they had.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

Confluence Global Permissions.jpg
62 kB
06/Feb/2014 8:13 PM

Chuck Minarik added a comment - 07/Feb/2014 7:33 PM

David,

Thanks for your reply. We'll create a new user group and give that group "Confluence Administrator" permission. Then I'll put our Tech Writers in that group.

However, they have granted space and page permissions to the "confluence-administrators" group, that need to be replicated to the new group.

How do I query the database to find out which pages and spaces have special permissions assigned to the "confluence-administrators" group?

Thanks,

Chuck

Chuck Minarik added a comment - 07/Feb/2014 7:33 PM David, Thanks for your reply. We'll create a new user group and give that group "Confluence Administrator" permission. Then I'll put our Tech Writers in that group. However, they have granted space and page permissions to the "confluence-administrators" group, that need to be replicated to the new group. How do I query the database to find out which pages and spaces have special permissions assigned to the "confluence-administrators" group? Thanks, Chuck

David Rizzuto added a comment - 07/Feb/2014 12:14 AM

Hi Chuck,

Thanks for taking the time to report this issue. Confluence treats the "confluence-administrators" group differently to other groups - it is exempt for permissions checks, and that can never be changed. This is known behaviour and so I'm going to close this issue as not a bug.

You can achieve the desired results by creating a new group, adding all the users you wish, and granting that group "administer confluence" permission.

Regards,
David Rizzuto
Confluence Bugmaster
Atlassian

David Rizzuto added a comment - 07/Feb/2014 12:14 AM Hi Chuck, Thanks for taking the time to report this issue. Confluence treats the "confluence-administrators" group differently to other groups - it is exempt for permissions checks, and that can never be changed. This is known behaviour and so I'm going to close this issue as not a bug. You can achieve the desired results by creating a new group, adding all the users you wish, and granting that group "administer confluence" permission. Regards, David Rizzuto Confluence Bugmaster Atlassian

Assignee:: David Rizzuto

Reporter:: Chuck Minarik

Affected customers:: 0 This affects my team

Watchers:: 3 Start watching this issue

Created:: 06/Feb/2014 8:13 PM

Updated:: 11/Oct/2018 9:09 AM

Resolved:: 07/Feb/2014 12:14 AM

Details

Description

Attachments

Attachments

Forms

Activity

Collapse comment: Chuck Minarik added a comment - 07/Feb/2014 7:33 PM

Expand comment: Chuck Minarik added a comment - 07/Feb/2014 7:33 PM

Collapse comment: David Rizzuto added a comment - 07/Feb/2014 12:14 AM

Expand comment: David Rizzuto added a comment - 07/Feb/2014 12:14 AM

People

Dates