karaf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Scott Tustison (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KARAF-5330) Require a specific role to access the SSH console
Date Tue, 17 Oct 2017 18:23:00 GMT

    [ https://issues.apache.org/jira/browse/KARAF-5330?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16208082#comment-16208082
] 

Scott Tustison commented on KARAF-5330:
---------------------------------------

Found this ticket after encountering the same issue within Karaf. We'd like folks that have
access to the command console to not be able to touch the file system in arbitrary locations.
A comment above says: "If you are really concerned about security, the only thing you can
do is to use a java security manager and permissions." And we tried this, by using our own
security manager as well as the one available via Equinox by using the properties in the system.properties
file. The command line appears to still behave as if it has the AllPermission and can obviously
modify or read any file on the file system as the user running Karaf. This still seems like
an issue to me even with a role to lock down who can access SSH. How can you lock down these
actions available to users via the command console?

> Require a specific role to access the SSH console
> -------------------------------------------------
>
>                 Key: KARAF-5330
>                 URL: https://issues.apache.org/jira/browse/KARAF-5330
>             Project: Karaf
>          Issue Type: Bug
>          Components: karaf-security, karaf-shell
>            Reporter: Tom Quarendon
>            Assignee: Guillaume Nodet
>             Fix For: 4.2.0, 4.0.10, 4.1.3
>
>
> The shell:cat command has no access control list associated with it in the default configuration.
> The same is true of the "shell:ls" command. There may be other shell: commands too that
can provide filesystem access. I don't know whether cd, pwd for example should be secured.
"tac" most certainly should.
> This means that any user that can access the ssh console can navigate the filesystem,
reading and writing files as they like.
> For example, given the default configuration, if I have a "normal" user and can therefore
access the console, I can use shell commands to find our or guess the location of the karaf
install (shell:pwd will do that), then cat the contents of the etc/users.properties file and
find out all users passwords (in the default configuration the passwords are in plain text).
I can also cat the etc/host.key file which would seem undesirable. 
> tac clearly would be a very dangerous command to have access to. It seems likely that
I could subvert many things by just writing directly to configuration files using tac. I could,
for example, change, or at least invalidate the admin password by rewriting the users.properties
file.
> All in all this feels like a major issue.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message