karaf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tom Quarendon (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KARAF-5330) Default access control list for console allows any user to cat files, and write to files.
Date Wed, 06 Sep 2017 06:54:00 GMT

    [ https://issues.apache.org/jira/browse/KARAF-5330?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16154897#comment-16154897

Tom Quarendon commented on KARAF-5330:

But that not really the same thing is it?
I don't know enough about the capabilities of the shell to know whether that closes all the
holes. For example, > isn't covered by access control, so maybe there are other things
too. I bet it's possible to find ways of generating stuff that I can then pipe to a file with

In order to use that technique, I would have to remove all the supplied access control lists
from the etc directory and then set that property. So fine, now only admins can execute any
command at all. But as soon as I want to allow another type of user to be able to execute
a command, I reopen the hole. So kind of what is the point of the whole role based access
control on commands. I can't use and maintain a secure system.

It troubles me that the default configuration isn't secure. I bet that someone who knows what
they are doing could at best mess up any karaf installation they have access to, regardless
of their level of authorisation.

> Default access control list for console allows any user to cat files, and write to files.
> -----------------------------------------------------------------------------------------
>                 Key: KARAF-5330
>                 URL: https://issues.apache.org/jira/browse/KARAF-5330
>             Project: Karaf
>          Issue Type: Bug
>          Components: karaf-security, karaf-shell
>            Reporter: Tom Quarendon
>            Assignee: Jean-Baptiste Onofré
>             Fix For: 4.2.0, 4.0.10, 4.1.3
> The shell:cat command has no access control list associated with it in the default configuration.
> The same is true of the "shell:ls" command. There may be other shell: commands too that
can provide filesystem access. I don't know whether cd, pwd for example should be secured.
"tac" most certainly should.
> This means that any user that can access the ssh console can navigate the filesystem,
reading and writing files as they like.
> For example, given the default configuration, if I have a "normal" user and can therefore
access the console, I can use shell commands to find our or guess the location of the karaf
install (shell:pwd will do that), then cat the contents of the etc/users.properties file and
find out all users passwords (in the default configuration the passwords are in plain text).
I can also cat the etc/host.key file which would seem undesirable. 
> tac clearly would be a very dangerous command to have access to. It seems likely that
I could subvert many things by just writing directly to configuration files using tac. I could,
for example, change, or at least invalidate the admin password by rewriting the users.properties
> All in all this feels like a major issue.

This message was sent by Atlassian JIRA

View raw message