cancel
Showing results for 
Search instead for 
Did you mean: 

Authenticate user in the application prior to running bin/magento commands

0 Kudos

Authenticate user in the application prior to running bin/magento commands

While there are multiple threats a modern Magento application faces, one of the weakest from a security standpoint is the ability to run arbitrary commands without application level authentication via the command line. It seems to me the bin/magento command should require a user to be authenticated with the Magento application prior to execution of a command for a fully installed system. Whether that is achieved via user/pass or other method is up for discussion, just as long as the CLI was treated similarly to the web from an authentication point of view.

 

I understand that there are many ways to discount the need for such a feature, but given the power of the bin/magento command (and n98-magerun2) it seems prudent to authenticate (and log) actions.

 

This might be enforced at the framework / API level in order to help shell / CLI commands and n98-magerun inherit the same security stance.

 

Adding additional devdocs / publishing best practices on security hardening a Magento installation would also be nice to see.

 

Thank you for listening,

Hardy Johnson

 

Technical Lead

Copious, Inc.

 

hardyj@copiousinc.com