Skip to content
This repository has been archived by the owner on Dec 13, 2023. It is now read-only.

Doc: Make clear that sharing registration_shared_secret is dangerous #2885

Closed
rugk opened this issue Feb 17, 2018 · 7 comments
Closed

Doc: Make clear that sharing registration_shared_secret is dangerous #2885

rugk opened this issue Feb 17, 2018 · 7 comments
Labels
Z-Help-Wanted We know exactly how to fix this issue, and would be grateful for any contribution

Comments

@rugk
Copy link

rugk commented Feb 17, 2018

In the config file it reads about registration_shared_secret:

If set, allows registration by anyone who also has the shared secret, even if registration is otherwise disabled.

Especially the last part implies that this is just a secret one can share to users, who want to create an account. It then enables the registration, but only for the user, who has this secret. Also sounds very convenient.

What you do not mention there is one big fact: With that secret, you can register admin accounts!
That means that this secret is much more dangerous than one expects from reading the config description! (I also thought it is harmless.)

And, BTW, I am not the only one, who had this idea: element-hq/element-web#2090

So better adjust the text there, to specifically point that out! (and make sure that no admin shares it)

@richvdh
Copy link
Member

richvdh commented Feb 22, 2018

a pr to reword it would be welcome.

@richvdh richvdh added the Z-Help-Wanted We know exactly how to fix this issue, and would be grateful for any contribution label Feb 22, 2018
@rugk
Copy link
Author

rugk commented Feb 22, 2018

When you point me to the location, that needs to be adjusted... 😃

@june07
Copy link

june07 commented Jun 9, 2018

@rugk I'm not finding in the code where users can register as admins via the REST interface? Per your post:
"With that secret, you can register admin accounts" can you tell me how/where they would be able to do such?

And secondarily, is this the desired behavior?

@rugk
Copy link
Author

rugk commented Jun 9, 2018

See also the issue I linked. There someone also said one can do this. I don't know whether I tested it, but I'm actually sure it is possible this way.

And, I guess, yes, it is intended. There is this Python script for creating accounts.

@aaronraimist
Copy link
Contributor

When you point me to the location, that needs to be adjusted... 😃

# If set, allows registration by anyone who also has the shared

and the README probably

@aaronraimist
Copy link
Contributor

Also this issue is a related to #1659 but since it has more info maybe that issue should be closed in favor of this one.

aaronraimist added a commit to aaronraimist/synapse that referenced this issue Mar 9, 2019
Signed-off-by: Aaron Raimist <aaron@raim.ist>
richvdh pushed a commit that referenced this issue Mar 11, 2019
* Clarify what registration_shared_secret allows for (#2885)

Signed-off-by: Aaron Raimist <aaron@raim.ist>

* Add changelog

Signed-off-by: Aaron Raimist <aaron@raim.ist>
@richvdh
Copy link
Member

richvdh commented Mar 11, 2019

fixed in #4844

@richvdh richvdh closed this as completed Mar 11, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Z-Help-Wanted We know exactly how to fix this issue, and would be grateful for any contribution
Projects
None yet
Development

No branches or pull requests

4 participants