When in Admin

[Kustomuk]

Logged in our test board and when in Admin looking about then want to go into admin setting keeps asking for a password even though i`m loggin in as Admin anyway,

Running nightly update`s, RC4 2.1

Also when i modify a post screen turns yellow and after a refresh it goes back to normal again.


Just thought i`d point it out,...But its looking great loving everything about RC4 2.1 great work.

 

[Arantor]

Yes, it's for security and every single version of SMF has done it by default. The only difference in 2.1 is that the tick box to disable it is gone and you have to edit the database.

The idea is that you log in and have to log in again every hour to admin so that if your account is compromised via session, someone still has to know your password to do admin things.

As for removing the "disable security" tick box, this is to prevent people who aren't the proper admin leveraging access - as in if your session is compromised, first thing I'd do is turn that option off so I could just keep using the session!

Putting it in the database only protects against that.

[Kustomuk]

Well thats just fantastic,

It`s coming along just fine and looks awesome,

Great work on what i would like to say is your best release up to now.

 

Great work

[Shades.]

Yes, it's for security and every single version of SMF has done it by default. The only difference in 2.1 is that the tick box to disable it is gone and you have to edit the database.

The idea is that you log in and have to log in again every hour to admin so that if your account is compromised via session, someone still has to know your password to do admin things.

As for removing the "disable security" tick box, this is to prevent people who aren't the proper admin leveraging access - as in if your session is compromised, first thing I'd do is turn that option off so I could just keep using the session!

Putting it in the database only protects against that.

Did they remove it from the github version? Cause the tick box is still in the 2.1 RC4 download from here it was just moved to Maintenance>Security.

[Sir Osis of Liver]

Hasn't been removed, it's in Maintenance > Server Settings > Security in today's github.

[Arantor]

Oh, someone put it back in because I did remove it originally.

[Douglas]

IMHO, it shouldn't be removed (though I have no issues with it being relocated to a place that makes better sense).

Yes, continue to have it enabled by default, however, there are a few of us that know and understand the risks of disabling that feature. We also have pretty tight password requirements for admins, as well.

This is something that needs to stay controllable by each site's owner/admin team, and not taken away or "hidden" or requires a database edit. (JUST my not so humble opinion, hah!)

[Shades.]

IMHO, it shouldn't be removed (though I have no issues with it being relocated to a place that makes better sense).

This is something that needs to stay controllable by each site's owner/admin team, and not taken away or "hidden" or requires a database edit. (JUST my not so humble opinion, hah!)

I agree!

[Arantor]

Douglas, you misunderstand my point and from an information security perspective, you're actually wrong.

Precisely because if your session got hijacked, anyone who did so could immediately make your forum less strongly secured and keep their own access as a result without you even noticing, giving them more time to do whatever it is they got in to do.

Same reason that when I ran SMF I always made sure all the files were not writable (and not editable via FTP) so neither the package manager or the theme editor could be used to hijack the forum.

And before anyone tells me that no-one does that, I've literally seen it done on large scale forums where getting in to get a boatload of user data was absolutely the intention (with more users at risk than even your forums, Douglas, Hogville might have amongst the most *posts* but there are SMF installs with many, many more *users* to risk with such insecurity)

Excuse me for trying to do the correct thing with regards to security, but by all means, continue to demand options that can and will be used to make you less secure, because you'd rather have that convenience.

Though the more I think about it, the more I think I should just make a single massive patch that removes all my changes. You clearly would all be a lot happier if I hadn't tried to do things like reduce the number of configurations out there to make testing easier/to confuse fewer people/align the platform to modern expectations.

[Illori]

there are times that one of the maintenance tasks takes longer then 1 hour to complete, without this feature that task would never complete.

[Arantor]

Because there are no other possible ways to solve this that don't require making things less secure, obviously. There have always been alternatives that don't reduce the security of the forum but everyone is too upset at the thought that things might ever change to consider them.

[Sir Osis of Liver]

I have always disabled admin security on my forums.  If there's a better way to do it, i.e. requiring password to disable it, I'm all for it.  But wouldn't want to lose the option.

[Chief of Nothing]

Ahh @Arantor, keep your chin up, some of us get it. I'm amazed at the amount of negativity here around 2.1's features, you know, something that's open source and could have been tested and contributed to by others over the many years it's been in development.

[Sir Osis of Liver]

User input is part of the development process, and this is a good opportunity for the devs (and Arantor) to see how folks respond to the changes in 2.1.  Criticism should be offered constructively, and taken as such.  It's nothing personal.

[Chief of Nothing]

Absolutely Sir Osis, but unfortunately I haven't seen a lot of the "constructively" part (and no, emoji's don't make up for the words that one writes); not saying this thread specifically but overall.

As for this thread, I actually agree, the option shouldn't be removed (though it could possibly require a separate security check to disable). I'm usually in favour of the power user approach, I'll give you all the options and I'll give you the appropriate warnings for those options. If you say that you know the implications of what your doing that's fine but if you get hacked because you really didn't understand the implications then don't come back crying.

But that's just me, I also understand Arantor's approach when he originally removed the option to provide protection, unfortunately it's far to easy for anyone on this planet to put something up on the web without understanding any one thing about it. Root cause for each and every compromised site and server right there!

[Arantor]

I have always disabled admin security on my forums.  If there's a better way to do it, i.e. requiring password to disable it, I'm all for it.  But wouldn't want to lose the option.

I guess it has to be spelled out again. I never removed the functionality, only the UI. It would be a single change in the DB, adding a single row to the settings table, to enable it, as I had changed it.

On the theory that, that way, only the authorised actual admin could ever change it since someone breaking into your account wouldn't be able to do so.

But since the change has been reverted, you can all stop complaining about the bad man that took your choices away.

I'm amazed at the amount of negativity here around 2.1's features, you know, something that's open source and could have been tested and contributed to by others over the many years it's been in development.

I'd have been a lot less salty about people being upset about the changes if this feedback weren't *literal years later*. I stopped being a dev contributor in 2014. It's 2021 and suddenly the goddamn sky is falling.

But I find it deeply interesting that the stuff I did falls into two camps: the stuff literally no-one talks about, or the stuff people complain about. I haven't seen a single thread where anyone points to any one thing I did and reacted *positively* since RC4 landed here.

Criticism should be offered constructively, and taken as such.  It's nothing personal.

The way most people phrase it - often you included - it comes across as deeply personal. Especially when it's *years* too late. If you'd been telling me these things in 2014 when they were actually implemented, I might not have been quite so bitter about the whole experience.

this is a good opportunity for the devs (and Arantor) to see how folks respond to the changes in 2.1.

Mostly whining from what I can tell that things aren't where they were, or don't act like they did in 2.0. Frankly as far as I'm concerned most of you should just stay on 2.0 forever, you'll be happier.

This is also why I spent a fair amount of the last few years ripping out parts of the system and rebuilding them in a way I was (somewhat) happier with.

because you really didn't understand the implications then don't come back crying

If a literal software security firm (Avast) can't understand the implications of correctly securing a platform, what hope do the rest of the people have? Most people run their sites in an insecure way and the SMF team encourages them to do so. Sorry but that is how it is. If the package manager works on your site, you're fundamentally insecure. Ditto the theme editor.

To all the people complaining that 'the option was removed', it was nothing that [tt]INSERT INTO smf_settings (variable, value) VALUES ('securityDisable'. '1');[/tt] wouldn't reimplement. Just, if you're going to, there should be a higher bar to clear than something an attacker can trivially do once in to make themselves more comfortable.

[Chief of Nothing]

But I find it deeply interesting that the stuff I did falls into two camps: the stuff literally no-one talks about, or the stuff people complain about. I haven't seen a single thread where anyone points to any one thing I did and reacted *positively* since RC4 landed here.

Well, overall I'm quite happy with 2.1, but as I suspect is the same for a lot of people I don't know all the things you did for it; except for what you owned up to in recent posts and trawling through the commits to find out who did what isn't what I'd say is a good use of my time.

The way most people phrase it -

+1. Some of the things I've read recently have been just disgusting.

If a literal software security firm (Avast) can't understand the implications of correctly securing a platform, what hope do the rest of the people have? Most people run their sites in an insecure way and the SMF team encourages them to do so. Sorry but that is how it is. If the package manager works on your site, you're fundamentally insecure. Ditto the theme editor.

Avast is driven by making money and any shortcut to make that happen..., SMF is not so I think the fundamental causes of security failings isn't really comparable between the two. I'm not so sure that the SMF team encourages insecureness but 2.1 has been in development for so long it simply hasn't kept up with modern security. As for what hope does rest of the people have, well for the great majority not a lot but for SMF that's something I hope to change.

[Arantor]

Well, overall I'm quite happy with 2.1, but as I suspect is the same for a lot of people I don't know all the things you did for it

Here's the thing, I do know what I did - and I find it funny how little people talk about the good things in 2.1 in general. I don't even recall anyone actually pointing at *any* of the features that are new, interesting and worthwhile and going 'hey, that's neat', whether I did them or not. At least if there had been some specific positive feedback about what was done well, I wouldn't have the overriding feeling that literally none of it was worth the effort.

Because that's where we're at. I see people saying 'best release ever' except not able to point to a single thing they like. That's the other thing about constructive criticism, you need to point out the good stuff *too* so people know what to keep working on, as well as the things to change.

Avast is driven by making money and any shortcut to make that happen..., SMF is not so I think the fundamental causes of security failings isn't really comparable between the two.

I was talking about Avast's SMF forum which was hacked in 2014. There were no actual vulnerabilities in the software per se that were exploited but if proper security measures were taken - like you'd assume a security company would do - the hack could not have happened.

What happened to Avast could have happened to *literally almost anyone* running an SMF instance because the setup out of the box is encouraged to be insecure in the name of convenience. I don't believe that this should be acceptable, never have. And yet... I'm the one in the wrong because I would rather make you all a little more inconvenient on occasion for a lot more safety.

But this is wildly off topic at this point, and yet somehow not.

[Chief of Nothing]

But this is wildly off topic at this point, and yet somehow not.

Probably, and I don't mean to hijack someone elses thread, but I think the dialog is important right now (and I hope it's helping). If the mods see fit they will split the topic.

So, ok, I think 2.1 is a great visual improvement over 2.0.x and here's one thing I really do like, the new way of uploading attachments before you hit the post button. I can't tell you how many times I got frustrated by losing a post because something choked when uploading a lot of attachments with a post. As for anything else well I can't really say because as I've only used the backend of 2.1, nothing previous.

Ok, now I get what your saying, I had completely forgotten about Avast's forum being hacked. I still think that's not a great comparison though, yes Avast is a security company but they make PC software and the like and I wouldn't put their web security intelligence above anyone else's, not even everyday 'upload and go' Joe Blog's web security intelligence.

And don't worry about being the one in the wrong for being security conscious for others, We need security conscious people and I'm sure it'll be my turn to be the bad man soon enough.

[Antechinus]

I guess it has to be spelled out again. I never removed the functionality, only the UI. It would be a single change in the DB, adding a single row to the settings table, to enable it, as I had changed it.

On the theory that, that way, only the authorised actual admin could ever change it since someone breaking into your account wouldn't be able to do so.

It's a good idea. Frankly I only ever disable it on test sites on local anyway, never if the forum is live on the web (even if it is only a test site). Inserting the setting back into a test site db would be trivial.

I'd have been a lot less salty about people being upset about the changes if this feedback weren't *literal years later*. I stopped being a dev contributor in 2014. It's 2021 and suddenly the goddamn sky is falling.

That's because most users of the software ignore dev builds. They see dev builds as being similar to concept cars at a car show: cute and amusing, but not something they can use, so not something to devote more than a passing glance to. Only when it's looking like a usable product do they start paying attention.

But I find it deeply interesting that the stuff I did falls into two camps: the stuff literally no-one talks about, or the stuff people complain about.

Human nature. People tend to talk about things that piss them off, for whatever reason. If something doesn't piss them off, they may not notice it.

If the package manager works on your site, you're fundamentally insecure. Ditto the theme editor.

I don't think many people would miss the theme editor. TBH there are easier ways of editing themes than via the SMF theme editor.

The package manager is another thing entirely, and one of SMF's best features in terms of usability and maintenance. Disabling that would reduce SMF to "just another forum app" at best, so if Pacman was to go it would have to be replaced by something more secure but similarly useful..