Default Open Registration - A Security Problem
-
By default the Rocket.Chat App, no matter the options (leave user management to the app, all Cloudron users or limited Cloudron users) the open registration is enabled and working!
I just got contacted by a friend who uses the Rocket.Chat App and had it limited to a few users on Cloudron and had a separate public Rocket.Chat for all community users.
Problem now, a community user just guessed the domain of the 'private' Rocket.Chat created an account and had access.
Just like that.
And since his Idea was 2x Rocket.Chats with the internal one having no restrictions on rooms for the staff the unwanted user had access to all channels and could read and write what ever he pleased.This ain't pretty.
He was quite shocked since he expected Cloudron to mange the access to the app and was baffled that even with the limit to Cloudron users option a non Cloudron user could sign up by default to his internal Rocket.Chat.(Rocket.Chat 4.0.3 App Package - newest)
-
@brutalbirdie indeed this should not be possible to sign up just like this. Not sure if this is related to the upstream LDAP changes, but I agree we have to see which setting we have to enforce to avoid this situation.
-
Well this is rather pointless..
I have added this to the env file in
/app/data/env:# Add custom env configuration in this file # export CREATE_TOKENS_FOR_USERS=true export Accounts_RegistrationForm="Disabled"Restarted the app and dumped the settings in mongodb to check the setting:
{ "_id" : "Accounts_RegistrationForm", "_updatedAt" : ISODate("2021-10-20T10:55:22.713Z"), "autocomplete" : true, "blocked" : false, "createdAt" : ISODate("2021-10-20T10:54:22.907Z"), "enterprise" : false, "group" : "Accounts", "hidden" : false, "i18nDescription" : "Accounts_RegistrationForm_Description", "i18nLabel" : "Accounts_RegistrationForm", "packageValue" : "Public", "public" : true, "requiredOnWizard" : false, "secret" : false, "section" : "Registration", "sorter" : 22014, "ts" : ISODate("2021-10-20T10:55:22.713Z"), "type" : "select", "value" : "Public", "valueSource" : "processEnvValue", "values" : [ { "key" : "Public", "i18nLabel" : "Accounts_RegistrationForm_Public" }, { "key" : "Disabled", "i18nLabel" : "Accounts_RegistrationForm_Disabled" }, { "key" : "Secret URL", "i18nLabel" : "Accounts_RegistrationForm_Secret_URL" } ], "processEnvValue" : "Disabled" }It says
"processEnvValue" : "Disabled"but guess what, it did not disable it.
For the logs, how did I dump the settings?
mongo -u "${CLOUDRON_MONGODB_USERNAME}" -p "${CLOUDRON_MONGODB_PASSWORD}" ${CLOUDRON_MONGODB_HOST}:${CLOUDRON_MONGODB_PORT}/${CLOUDRON_MONGODB_DATABASE} | tee /app/data/log.txt rs0:PRIMARY> db.rocketchat_settings.find().toArray() -
@brutalbirdie maybe we have to directly change that in the mongodb instance on app start
-
@brutalbirdie I have investigated this in the past. If we disable open registration, then you cannot register the initial admin user. So, it's a catch-22. See https://git.cloudron.io/cloudron/rocketchat-app/-/blob/master/start.sh#L22 .
In effect, even when you pre-setup LDAP, opening rocket.chat will show the initial Rocket.Chat wizard . But you cannot complete the wizard because open registration is disabled. The only thing we can do is put a message in post install message.
I guess this has to be reported upstream, not sure? In the past, there used to be a way to add an admin user programmatically but now we have a wizard (which I guess they want to collect info on the setup).
-
@girish said in Default Open Registration - A Security Problem:
there used to be a way to add an admin user programmatically but now we have a wizard (which I guess they want to collect info on the setup).
I guess you're referring to https://docs.rocket.chat/quick-start/creating-the-first-administrator? Does this approach no longer work?
Edit: It also looks like an initial user can be provided as JSON via the
INITIAL_USERenv var: https://github.com/RocketChat/Rocket.Chat/blob/ba15ba725a09581c2aba9b7eb539e255a7908697/server/startup/initialData.js#L121 -
@fiwand @BrutalBirdie I have pushed a new package that auto-creates admin user and disables open registration by default. This change is only for new installations, existing ones are untouched.
One thing is that previous packages used to disable password change for users (when using LDAP). But now, I had to allow it because otherwise admin user cannot change it. Hopefully, that's an ok compromise.
