karaf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Baptiste Onofré ...@nanthrax.net>
Subject Re: Preventing access to shell:exec in 4.0.7
Date Fri, 09 Dec 2016 13:59:36 GMT
Great, thanks !

Regards
JB

On 12/09/2016 02:57 PM, Paul McCulloch wrote:
>  1. KARAF-4889 <https://issues.apache.org/jira/browse/KARAF-4889> logged
>
>
> On 9 December 2016 at 13:20, Jean-Baptiste Onofré <jb@nanthrax.net
> <mailto:jb@nanthrax.net>> wrote:
>
>     I think it would be an interesting plugin to add.
>
>     Do you mind to create a Jira about that ?
>
>     Regards
>     JB
>
>     On 12/09/2016 02:16 PM, Paul McCulloch wrote:
>
>         I think I've come to the same conclusion. It looks like some work on
>         RBAC has been done in HawtIO
>         (https://github.com/hawtio/hawtio/issues/465
>         <https://github.com/hawtio/hawtio/issues/465>) so I'll see if
>         that's any use.
>
>         On 9 December 2016 at 12:57, Achim Nierbeck
>         <bcanhome@googlemail.com <mailto:bcanhome@googlemail.com>
>         <mailto:bcanhome@googlemail.com
>         <mailto:bcanhome@googlemail.com>>> wrote:
>
>             I fully agree with Milen on this.
>             The WebConsole is just to "powerful" for an "ordinary" user.
>             Just think of starting/stoping bundles by accident. This
>         alone is
>             already malicious enough, and hard to track ;)
>
>             regards, Achim
>
>             2016-12-09 13:55 GMT+01:00 Milen Dyankov
>         <milendyankov@gmail.com <mailto:milendyankov@gmail.com>
>             <mailto:milendyankov@gmail.com
>         <mailto:milendyankov@gmail.com>>>:
>
>                 I know this does not help you at all but IMHO giving random
>                 users access to webconsole is terrible idea. I personally
>                 consider webconsole only useful for developers and
>         eventually
>                 highly trusted, responsible and knowledgeable
>         administrators.
>
>                 On Fri, Dec 9, 2016 at 1:48 PM, Paul McCulloch
>                 <pkmcculloch@gmail.com <mailto:pkmcculloch@gmail.com>
>         <mailto:pkmcculloch@gmail.com <mailto:pkmcculloch@gmail.com>>>
>         wrote:
>
>                     Yes. Only admins can use webconsole, so the web
>         console user
>                     can modify the roles required for shell:exec to match
>                     themselves.
>
>                     I guess what I am really saying is that I want a non
>         admin
>                     user to be able to use web console.
>
>                     Even if I do stop a webconsole user from executing
>                     shell:exec, there is nothing to stop them loading a
>         bundle
>                     that does whatever they want. So it would just be
>         raising
>                     the bar for a malicious admin user.
>
>                     I think I may look at running karaf inside some sort of
>                     container (chroot, Docker) to reduce the rick of
>         granting
>                     Karaf adamin rights where I don't want to give an OS
>         login.
>
>                     Thanks.
>
>                     Paul
>
>                     On 9 December 2016 at 12:36, Jean-Baptiste Onofré
>                     <jb@nanthrax.net <mailto:jb@nanthrax.net>
>         <mailto:jb@nanthrax.net <mailto:jb@nanthrax.net>>> wrote:
>
>                         By command, you mean shell:exec ? The acl should
>         already
>                         prevent execution if the user doesn't have in the
>                         expected role.
>
>                         Regards
>                         JB
>
>                         On 12/09/2016 01:30 PM, Paul McCulloch wrote:
>
>                             That would be ideal, but right now I'm
>         looking for
>                             any way to prevent
>                             access to these (very dangerous I think)
>         commands.
>
>                             On 9 December 2016 at 12:08, Jean-Baptiste
>         Onofré
>                             <jb@nanthrax.net <mailto:jb@nanthrax.net>
>         <mailto:jb@nanthrax.net <mailto:jb@nanthrax.net>>
>                             <mailto:jb@nanthrax.net
>         <mailto:jb@nanthrax.net> <mailto:jb@nanthrax.net
>         <mailto:jb@nanthrax.net>>>>
>
>                             wrote:
>
>                                 Hi Paul,
>
>                                 So basically, you want RBAC on the
>         webconsole.
>                             Correct ?
>
>                                 It's not possible today without changing the
>                             webconsole. It's a good
>                                 idea to add such feature.
>
>                                 Regards
>                                 JB
>
>
>                                 On 12/09/2016 12:52 PM, Paul McCulloch
>         wrote:
>
>                                     Hi,
>
>                                     I'm trying to prevent access to
>         shell:exec
>                             from the console to
>                                     try and
>                                     harden my karaf install.
>
>                                     I can revoke access from an admin
>         user with
>                             "config:property-set -p
>                                     org.apache.karaf.command.acl.shell exec
>                             uberadmin". I can also
>                                     prevent
>                                     the user from using
>         config:property-set from
>                             restoring the
>                                     permissions.
>
>                                     What I can't seem to do is prevent
>         an admin
>                             user from restoring
>                                     permissions via the web console's
>                             Configuration gui.
>
>                                     I want to permit remote access to
>         the web
>                             console, but I don't
>                                     want to
>                                     give users the ability to run arbitrary
>                             commands on the server.
>
>                                     Thanks,
>
>                                     Paul
>
>
>                                 --
>                                 Jean-Baptiste Onofré
>                                 jbonofre@apache.org
>         <mailto:jbonofre@apache.org> <mailto:jbonofre@apache.org
>         <mailto:jbonofre@apache.org>>
>                             <mailto:jbonofre@apache.org
>         <mailto:jbonofre@apache.org>
>                             <mailto:jbonofre@apache.org
>         <mailto:jbonofre@apache.org>>>
>                                 http://blog.nanthrax.net
>                                 Talend - http://www.talend.com
>
>
>
>                         --
>                         Jean-Baptiste Onofré
>                         jbonofre@apache.org <mailto:jbonofre@apache.org>
>         <mailto:jbonofre@apache.org <mailto:jbonofre@apache.org>>
>                         http://blog.nanthrax.net
>                         Talend - http://www.talend.com
>
>
>
>
>
>                 --
>                 http://about.me/milen
>
>
>
>
>             --
>
>             Apache Member
>             Apache Karaf <http://karaf.apache.org/> Committer & PMC
>             OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/
>         <http://wiki.ops4j.org/display/paxweb/Pax+Web/>
>             <http://wiki.ops4j.org/display/paxweb/Pax+Web/
>         <http://wiki.ops4j.org/display/paxweb/Pax+Web/>>> Committer &
>         Project
>             Lead
>             blog <http://notizblog.nierbeck.de/>
>             Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
>
>             Software Architect / Project Manager / Scrum Master
>
>
>
>     --
>     Jean-Baptiste Onofré
>     jbonofre@apache.org <mailto:jbonofre@apache.org>
>     http://blog.nanthrax.net
>     Talend - http://www.talend.com
>
>

-- 
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com

Mime
View raw message