Disable Cloudron user login
-
I was trying to avoid using the Cloudron user to sign into YOURLS so I set the Access Control to an empty group with no users. After restarting the app it seems that it still signs in with the Cloudron admin user. How can I disable this?
I worry that by using the Cloudron password for each app, it might become a security issue if any one app has low security. Is that something I should be concerned about?
-
@rosano it sounds like perhaps you should re-install YOURLS but using the "Leave user management to the app" option.
I think that would mean your Cloudron users (including Admin) wouldn't be able to login with their Cloudron credentials.
Other options would be
- ensure you've got 2FA turned for your Cloudron Admin account (so it can't be brute forced), and/ or
- make your Cloudron Admin password insanely long and secure (and use the Vaultwarden app to remember it).
-
@rosano Cloudron Admin users can always login to all app (if they have LDAP integration enabled).
Perhaps just make another user with less permissions for accessing YOURLS if you're concerned?
See also App Passwords in the docs:
https://docs.cloudron.io/profile/#app-passwords
That may be exactly what you are looking for
-
@jdaviescoates The "App Passwords" is a pretty amazing feature, didn't know about that. I tried it and it works well, but it's still possible to login with the main account. I guess I worry that if someone can brute force guess the main account via one app, then it compromises all the apps…
-
@rosano it sounds like perhaps you should re-install YOURLS but using the "Leave user management to the app" option.
I think that would mean your Cloudron users (including Admin) wouldn't be able to login with their Cloudron credentials.
Other options would be
- ensure you've got 2FA turned for your Cloudron Admin account (so it can't be brute forced), and/ or
- make your Cloudron Admin password insanely long and secure (and use the Vaultwarden app to remember it).
-
@jdaviescoates Makes sense, I forgot about that option.
It seems to allow me to login only via a specified account which is great, but if I try to move my data from the old installation via Cloudron backup, I get this error:
Invalid configuration for YOURLS LDAP plugin. Check PHP error log.
Maybe it's copying the Access Control settings for the app?
-
@rosano said in Disable Cloudron user login:
I worry that by using the Cloudron password for each app, it might become a security issue if any one app has low security. Is that something I should be concerned about?
What we do to mitigate this is to enable 2FA inside each app wherever applicable. Cloudron dashboard also has 2FA, of course.
-
@rosano said in Disable Cloudron user login:
It seems to allow me to login only via a specified account which is great, but if I try to move my data from the old installation via Cloudron backup, I get this error:
Do you mean both are Cloudron installations? In that case, If I am following correctly, the old one had access control enabled but the new one doesn't. Correct?
If the above is correct, go to the filemanager of the new instance and delete the
/app/data/user/plugin/yourls-ldap-pluginand see if that helps. -
@girish said in Disable Cloudron user login:
go to the filemanager of the new instance and delete the
/app/data/user/plugin/yourls-ldap-pluginand see if that helps.Bingo! That was what I needed. It was actually a symlink and not possible to delete via the file manager, but I was able to
rm yourls-ldap-pluginvia the shell and then restart the app. Works as desired now, thank you -
