Note: 2012-07-14 I just tested this security ‘workaround’ in FileMaker 12 and it continues to exist.
Open a File
The Admin user launches a file.
Using Admin level access
The Admin user is set to [Full Access] privileges. Full Access means that the user can add/edit/delete any of the fields, scripts, layouts, users, privilege sets and relationships within the database.
Under the file menu, the Admin user can access the Security privilege sets and user accounts.
Manage Security screen
We can see there is an account for a Low Level user, coincidentally named ‘Low Level’. If the admin user now makes any changes in this dialog box, to the Accounts list, or reassigns user Privilege Sets, in order to exit this screen and save their changes, they are prompted for their admin level password.
Confirm Full Access Login
At this point, the Admin user would enter his/her name and password and the changes would be saved. This is all good and how one might expect things to work.
The Security Risk
Presumably this previous prompt for a password is designed to prevent an instance where the Admin user has gone for coffee, leaving his/her machine unlocked and a nefarious user comes along and attempts to change their privilege set to escalate their privileges. You would think that they shouldn’t be able to do this.
Well guess what? They can.
In this instance, Low Level comes along and escalates his privilege set to Full Access. He clicks OK and then OK again to leave the Security dialog box.
Here is the security breakdown
Instead of allowing the newly escalated Low Level fellow to confirm the changes, shouldn’t the original Admin login be required? That is not how this works, Low Level has upgraded their privilege set AND confirmed this change themselves.
This seems like a flaw in an otherwise fairly secure system.
Of course you might argue that Admin should never have gone for coffee in the first place, but isn’t security design supposed to take into human fallibility? Why bother prompting for the password in the first place, if you are going to accept any users password?
I am just sayin’…