Check for elevated permissions with automatic login #482
Conversation
Co-authored-by: Adipa Wijayathilaka <[email protected]>
src/D2L.Bmx/Program.cs
Outdated
| @@ -21,8 +23,28 @@ | |||
| // allow no-sandbox argument for chromium to for passwordless auth with elevated permissions | |||
| var bypassBrowserSecurityOption = new Option<bool>( | |||
| name: "--experimental-bypass-browser-security", | |||
| getDefaultValue: () => false, | |||
There was a problem hiding this comment.
The validator wasn't getting called without this if the flag wasn't included
src/D2L.Bmx/Program.cs
Outdated
| @@ -282,3 +304,8 @@ | |||
| } ) | |||
| .Build() | |||
| .InvokeAsync( args ); | |||
|
|
|||
| internal static partial class NativeMethods { | |||
There was a problem hiding this comment.
Top Level Statement L here?
There was a problem hiding this comment.
I'd rather we wrap this along with the IsWindows, IsLinux, IsMacOS logic all in a separate file & class.
There was a problem hiding this comment.
There's a lot happening in Program.cs already
gord5500
requested review from
cfbao,
boarnoah,
scowing,
jharoutuniand2l and
AnimalXing
and removed request for
a team
src/D2L.Bmx/Program.cs
Outdated
| [LibraryImport( "libc", EntryPoint = "geteuid" )] | ||
| public static partial uint GetPosixEuid(); |
There was a problem hiding this comment.
Do you know if this works on Alpine with musl, AFAICS the musl implementation of libc, is called libc as far as imports in C etc... are concerned.
So this might work?
There was a problem hiding this comment.
our existing libc calls work in alpine
src/D2L.Bmx/Program.cs
Outdated
| """; | ||
| } else if( !isElevated && bypass ) { | ||
| result.ErrorMessage | ||
| = "BMX is not running with elevated permissions, so --experimental-bypass-browser-security must be set to false"; |
There was a problem hiding this comment.
nit: Isn't it better to say, something along the lines of: don't provide -experimental-bypass-browser-security
src/D2L.Bmx/Program.cs
Outdated
| Running BMX with elevated permissions is only allowed with the '--experimental-bypass-browser-security' flag. | ||
| Only include this if you aren't concerned with the security of the host for your Okta organization. |
There was a problem hiding this comment.
nit: I would really like it if we could articulate that:
- Using BMX to do AWS stuff is perfectly fine while elevated
- You only need this flag when you want to do the equivalent of
bmx loginas admin
a. Right call in most situations is to, runbmx loginon your computer once a day without elevated privs
b. If you insist in running BMX with elevated privs as the first thing of the day, that is when you need the flag.
Not sure how to fit all that in one sentence :P
There was a problem hiding this comment.
Okay so this checking for permission logic should go in the okta authenticator class then
There was a problem hiding this comment.
There's also the consideration that... what if this flag is used with AWS credential process, and what if that may be triggered automatically sometimes elevated sometimes not?
This is a real concern for the LMS.
There was a problem hiding this comment.
in other words, I'm not too sure that we should always fail BMX when this flag is present but the user isn't elevated
There was a problem hiding this comment.
Yup I'll just move it to the okta authenticator and divert to password if it's not provided and they are admin
There was a problem hiding this comment.
Okay I moved it to the authenticator where if bmx is running as admin and no flag provided, we fall back to password. If not admin but flag provided, we set the flag to false so '--no-sandbox' doesn't get included
There was a problem hiding this comment.
I think that should also address the issue with wording you had Adipa since it's only on attempting to login now
I would think we just silently not use the no-sandbox flag if we aren't escalated. Set of things that lead us to have to use no-sandbox is kind of hard to convey to a user (you need to have a stale/close to stale okta session && you need to be trying to use Regardless of what our users do poorly (IMO invoking tools that don't need escalation is such a thing) we should try to do the correct thing and try to not use CC @cfbao EDIT: This also addresses Chenfeng's point about how credential process use of BMX means it could sometimes be escalated sometimes not |
|
@boarnoah |
| bool hasElevatedPermissions = UserPrivileges.HasElevatedPermissions(); | ||
| if( hasElevatedPermissions && !bypassBrowserSecurity ) { | ||
| consoleWriter.WriteWarning( $""" | ||
| BMX is being run with elevated privileges and is unable to automatically sign in to Okta. |
There was a problem hiding this comment.
Not in scope, but - some warnings messages are prefixed with "WARNING:" while others are not.
Would be nice to be consistent on this.
I lean towards no prefix, because we already use a different colour.
There was a problem hiding this comment.
Hmm yea you're right. I started with including the prefix since they were in the bmx config provider class but have been inconsistent. I see we use WriteWarning in other places though without it. I think I'll remove the prefix for this class
src/D2L.Bmx/OktaAuthenticator.cs
Outdated
| If you have to run BMX with elevated privileges, and aren't concerned with the security of {orgUrl.Host}, | ||
| consider running the command again with the '--experimental-bypass-browser-security' flag. |
There was a problem hiding this comment.
Nit:
When this happens, user might just enter their Okta password and move on, so this message is just an "FYI for next time", and they won't want to run this same command again right now even if they have to run BMX elevated and aren't concerned with the security of the Okta site.
Maybe a better message should say "consider using this flag" instead of "consider running the command again".
Another thing that bugs me and it concerns other related warning messages too - if a user can't use DSSO at all, either because their Okta org doesn't support it, or their computer or network condition isn't right, then ideally BMX shouldn't show any DSSO related warning messages at all. I don't think the current implementation does this.
No rush to fix this right now, but I'd like us to do something about this before releasing.
There was a problem hiding this comment.
I don't think the current implementation does this.
Yea if there was no DSSO implementation for an org, they would end up always seeing some warning messages about it
I think readding the passwordless flag could solved this where it is just defaulted to true.
There was a problem hiding this comment.
more like... --disable-passwordless that's default false.
or another flag/config name.
We should probably still rephrase some messages though.
later
Why
The
--experimental-bypass-browser-securityflag is only useful when running as admin.I'm not sure though if we would prefer to not completely kill the process as is happening here or just skip over the automatic login area. I lean to killing it so people don't get use to having this flag included regularly
Ticket
VUL-453