Mitigation for issue2551246 -u opton to roundup-admin

rouilj · rouilj · commit 6134e06ebcb7 · 2022-12-02T23:09:51.000-05:00
Missed change to man page.
diff --git a/share/man/man1/roundup-admin.1 b/share/man/man1/roundup-admin.1
@@ -9,7 +9,9 @@ roundup-admin \- administrate roundup trackers
 Specify the issue tracker "home directory" to administer
 .TP
 \fB-u\fP \fIuser\fP[\fB:\fP\fIpassword\fP]
-The user and password to use for commands
+The user and password to use for commands (partial implemention, see
+Security Notes below).
+.TP
 \fB-h\fP
 Print help text.
 .TP
@@ -253,6 +255,28 @@ merged/updated config file is written to \fI<filename>\fP.
 Commands may be abbreviated as long as the abbreviation
 matches only one command, e.g. l == li == lis == list.
 
+.SH SECURITY NOTES
+
+The \fB-u user\fP setting does not currently operate like a
+user logging in via the web. The user running roundup-admin
+must have read access to the tracker home directory. As a
+result the user has access to the files and the database
+info contained in config.ini.
+
+Using \fB-u user\fP sets the actor/user parameter in the
+journal. Changes that are made are attributed to that
+user. The password is ignored if provided. Any existing
+username has full access to the data just like the admin
+user. This is an area for further development so that
+roundup-admin could be used with sudo to provide secure
+command line access to a tracker.
+
+.SH ENVIRONMENT VARIABLES
+
+.TP
+\fBROUNDUP_LOGIN\fP
+Provides an alternate way to set the user.
+
 .SH FURTHER HELP
  roundup-admin -h
  roundup-admin help                       -- this help
