cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alena Prokharchyk (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (CLOUDSTACK-287) Security bug: System user doesn't have any password
Date Mon, 08 Oct 2012 18:04:03 GMT

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-287?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Alena Prokharchyk resolved CLOUDSTACK-287.
------------------------------------------

    Resolution: Fixed

Fixed with cfd2091337534f0ff7edcacd404c776fa202c5c7 and 29e6dae86de9482d6f2e85fe47fceeab45ecba9c.


Cases to test (for QA):

1) Deploy cloudStack anew. Make sure that system user came with not null
random password
2) Update from the previous cloudStack version. Verify that the system
user has random password after the upgrade.
3) Check that the system user can't login with this password. Test with
the UI as well as with API login command
4) Check that no API commands are allowed to execute against system user.
registerUserKeys/enableUser/disableUser should fail for the system user.
5) Don't allow operations against system account (enable/disable/delete
system account + don't allow to add new user to the system account).
                
> Security bug: System user doesn't have any password
> ---------------------------------------------------
>
>                 Key: CLOUDSTACK-287
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-287
>             Project: CloudStack
>          Issue Type: Bug
>    Affects Versions: 4.0.0
>            Reporter: Alena Prokharchyk
>            Assignee: Alena Prokharchyk
>            Priority: Critical
>             Fix For: 4.0.0
>
>
> During the cloudStack installation and db setup, the System account/user are inserted
to the DB. These account/user are dedicated for system actions(background clenaup threads
as example), events, objects (SSVM and CPVM belong to system account). Plus when API request
comes from 8096 port, we don't do any sort of authentication, and assume that the caller is
the System user. This all is expected behavior. 
> The bug is: 
> * System user doesn't have any password.
> * It's possible to login as a System user with no password, and do any API calls after
that
> * You can register api/secret keys for the System user, and do any API request as this
user using api/secret key authentication

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message