<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" id="owaParaStyle"></style>
</head>
<body class="" style="word-wrap:break-word" fpstyle="1" ocsi="0">
<div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">Chris, all:
<div><br>
</div>
<div>Speaking as someone who isn't a security expert at all, I'd just point out that the two migration tools are not part of the ArchivesSpace core code -- also, I've felt really good with how security is handled in the core code so far, although I do scratch
my head at times with how global, repository, and user permissions and preferences function. Still, I have no clue why the migration tools would need to create an additional "system admin" user during the migration process, but since they both do, I'd expect
that the migration tools should at least remove those users after the migration, as you suggested, Chris. Since that's not the case, I just wanted to bring the issue up to a wider audience again. Speaking of which, I'll make sure to post the same message
to the Google Group tomorrow (but if anyone wants to beat me to it, feel free!).</div>
<div><br>
</div>
<div>All that said, I'm sure that code reviews, security audits, and the like would be extremely welcome -- ArchivesSpace is open-source software, after all! <span style="font-size: 10pt;">I'd also like to make a pitch that an accessibility review be conducted
for the staff interface, if a major one hasn't already been conducted, as I've heard from some staff members that they have a difficult time with the default styling (particularly with contrast and other visual elements), but I'm loath to admit that we haven't
done that yet. Perhaps other have?</span></div>
<div><br>
</div>
<div>Lastly, I'd actually say that my confidence with the software has only grown the more that I've used it and seen the amount of work that's gone into it in such a short amount of time already. And I expect that the quality will only increase as more and
more developers start pitching in with bug fixes and the like... but right now, the migration specialist position hasn't been refilled, and I don't believe there are any plans to do that (although I'd recommend it, since my usual response is that the optimal
number of staff is usually more than what you've got if you're growing, even though that's not a solution in and of itself, of course!).</div>
<div><br>
</div>
<div>Mark</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
<div style="font-family: Times New Roman; color: #000000; font-size: 16px">
<hr tabindex="-1">
<div id="divRpF631298" style="direction: ltr;"><font face="Tahoma" size="2" color="#000000"><b>From:</b> archivesspace_users_group-bounces@lyralists.lyrasis.org [archivesspace_users_group-bounces@lyralists.lyrasis.org] on behalf of Prom, Christopher John [prom@illinois.edu]<br>
<b>Sent:</b> Tuesday, February 09, 2016 4:08 PM<br>
<b>To:</b> Archivesspace Users Group<br>
<b>Subject:</b> Re: [Archivesspace_Users_Group] More admins, more problems<br>
</font><br>
</div>
<div></div>
<div>Mark,
<div class=""><br class="">
</div>
<div class="">Thanks for bringing this up. </div>
<div class=""><br class="">
</div>
<div class="">I just checked and in the case of the archon migrations, the asadmin user is not created. However, it does make a user ‘aspace’ and grants it full admin rights. Even worse, you can login as that user with NO password (i.e. field is blank). So,
that one should definitely be killed off manually or even better the migration tool should delete it when done.</div>
<div class=""><br class="">
</div>
<div class="">In addition, there is another problem with archon migrations, in that the migration tool takes ALL of the existing users from archon DBs, and migrates them into aspace as read only users with the same login, and no password. You can then login
to the app with the old users name and no password (field is blank) and can view but not edit data.</div>
<div class=""><br class="">
</div>
<div class="">All of the users the migration tool create are read only—but still this is a security problem since someone might be able to view restricted data or find a hack to get more permissions on the DB.</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">
<div class="">
<div>As a related question, how is security handled generally in ASpace? Is it relying on an external security library, or bespoke code, or some combination of the two? </div>
<div><br class="">
</div>
<div>The discovery of these types of things, in all honesty, does not engender confidence, and probably indicates the need for a thorough security audit. While the above problems can be cleaned up after the fact, not an ideal solution.</div>
<div><br class="">
</div>
<div>Chris Prom</div>
<div>Univeristy of Illinois Archives</div>
<div><br class="">
<blockquote type="cite" class="">
<div class="">On Feb 9, 2016, at 2:39 PM, Custer, Mark <<a href="mailto:mark.custer@yale.edu" class="" target="_blank">mark.custer@yale.edu</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class=""><style class="">
<!--
@font-face
{font-family:"Cambria Math"}
@font-face
{font-family:Calibri}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif}
span.EmailStyle17
{font-family:"Calibri",sans-serif;
color:windowtext}
span.EmailStyle18
{font-family:"Calibri",sans-serif;
color:#1F497D}
span.EmailStyle19
{font-family:"Calibri",sans-serif;
color:#1F497D}
span.EmailStyle20
{font-family:"Calibri",sans-serif;
color:windowtext}
.MsoChpDefault
{font-size:10.0pt}
@page WordSection1
{margin:1.0in 1.0in 1.0in 1.0in}
-->
</style>
<div lang="EN-US" class="">
<div class="WordSection1">
<p class="MsoNormal"><span class="" style="color:#1F497D">All,</span></p>
<p class="MsoNormal"><span class="" style="color:#1F497D"> </span></p>
<p class="MsoNormal"><span class="" style="color:#1F497D">I wanted to send out a friendly reminder about admin accounts in ArchivesSpace (and this is coming strictly from an ArchivesSpace user’s perspective).</span></p>
<p class="MsoNormal"><span class="" style="color:#1F497D"> </span></p>
<p class="MsoNormal"><span class="" style="color:#1F497D">As most are aware, when you install ArchivesSpace without any configuration changes, you wind up with a single admin account in ArchivesSpace that has a username equal to “<b class="">admin</b>” and
a password set to be the same. You’ll want to change this password to something else long before you go into production mode. For the most part, I think that people take care of this on or around day one, but if you can log into your ASpace application using
that username and password, you’ll want to update that password to something else that’s a lot more secure!</span></p>
<p class="MsoNormal"><span class="" style="color:#1F497D"> </span></p>
<p class="MsoNormal"><span class="" style="color:#1F497D">Less well known is what happens when you use the migration tool to populate your ArchivesSpace database (I sent an email about this to the listserv way back on May 8, 2015, but I don’t know if what I’m
about to describe is documented anywhere else yet). If you’ve migrated to ArchivesSpace using the Archivists’ Toolkit migration tool (and I’m pretty sure this happens with the Archon tool, as well), then another admin user will be added to your database.
This admin user will have a username that’s equal to “<b class="">asadmin</b>”. I’m not actually sure why the migration tool creates another user (or if the current versions still do this), especially since you have to supply admin credentials to the migration
tool to run against the ASpace API, but I know that this happened during our migration process – and I’ve seen this phantom admin user account in other ArchivesSpace installations, as well. When we discovered this new user, we deleted it from our database
immediately after our final migration process.</span></p>
<p class="MsoNormal"><span class="" style="color:#1F497D"> </span></p>
<p class="MsoNormal"><span class="" style="color:#1F497D">So, I’d like to ask everyone out there to check and see if they can login to their own ArchivesSpace with an “<b class="">asadmin</b>” account, whether you’re in production or not (the password is easy
to guess, since it’s the same as the default admin user’s password). If you can log in that way, I’d suggest deleting that user immediately!</span></p>
<p class="MsoNormal"><span class="" style="color:#1F497D"> </span></p>
<p class="MsoNormal"><span class="" style="color:#1F497D">Mark</span></p>
<p class="MsoNormal"><span class="" style="color:#1F497D"> </span></p>
<p class="MsoNormal"><span class="" style="color:#1F497D"> </span></p>
<p class="MsoNormal"><span class="" style="color:#1F497D"> </span></p>
<p class="MsoNormal"><span class="" style="color:#1F497D"> </span></p>
</div>
</div>
_______________________________________________<br class="">
Archivesspace_Users_Group mailing list<br class="">
<a href="mailto:Archivesspace_Users_Group@lyralists.lyrasis.org" class="" target="_blank">Archivesspace_Users_Group@lyralists.lyrasis.org</a><br class="">
http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group<br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>