karaf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul McCulloch <pkmccull...@gmail.com>
Subject Re: Preventing access to shell:exec in 4.0.7
Date Fri, 09 Dec 2016 13:57:44 GMT
   1. KARAF-4889 <https://issues.apache.org/jira/browse/KARAF-4889> logged


On 9 December 2016 at 13:20, Jean-Baptiste Onofré <jb@nanthrax.net> wrote:

> I think it would be an interesting plugin to add.
>
> Do you mind to create a Jira about that ?
>
> Regards
> JB
>
> On 12/09/2016 02:16 PM, Paul McCulloch wrote:
>
>> I think I've come to the same conclusion. It looks like some work on
>> RBAC has been done in HawtIO
>> (https://github.com/hawtio/hawtio/issues/465) so I'll see if that's any
>> use.
>>
>> On 9 December 2016 at 12:57, Achim Nierbeck <bcanhome@googlemail.com
>> <mailto:bcanhome@googlemail.com>> wrote:
>>
>>     I fully agree with Milen on this.
>>     The WebConsole is just to "powerful" for an "ordinary" user.
>>     Just think of starting/stoping bundles by accident. This alone is
>>     already malicious enough, and hard to track ;)
>>
>>     regards, Achim
>>
>>     2016-12-09 13:55 GMT+01:00 Milen Dyankov <milendyankov@gmail.com
>>     <mailto:milendyankov@gmail.com>>:
>>
>>         I know this does not help you at all but IMHO giving random
>>         users access to webconsole is terrible idea. I personally
>>         consider webconsole only useful for developers and eventually
>>         highly trusted, responsible and knowledgeable administrators.
>>
>>         On Fri, Dec 9, 2016 at 1:48 PM, Paul McCulloch
>>         <pkmcculloch@gmail.com <mailto:pkmcculloch@gmail.com>> wrote:
>>
>>             Yes. Only admins can use webconsole, so the web console user
>>             can modify the roles required for shell:exec to match
>>             themselves.
>>
>>             I guess what I am really saying is that I want a non admin
>>             user to be able to use web console.
>>
>>             Even if I do stop a webconsole user from executing
>>             shell:exec, there is nothing to stop them loading a bundle
>>             that does whatever they want. So it would just be raising
>>             the bar for a malicious admin user.
>>
>>             I think I may look at running karaf inside some sort of
>>             container (chroot, Docker) to reduce the rick of granting
>>             Karaf adamin rights where I don't want to give an OS login.
>>
>>             Thanks.
>>
>>             Paul
>>
>>             On 9 December 2016 at 12:36, Jean-Baptiste Onofré
>>             <jb@nanthrax.net <mailto:jb@nanthrax.net>> wrote:
>>
>>                 By command, you mean shell:exec ? The acl should already
>>                 prevent execution if the user doesn't have in the
>>                 expected role.
>>
>>                 Regards
>>                 JB
>>
>>                 On 12/09/2016 01:30 PM, Paul McCulloch wrote:
>>
>>                     That would be ideal, but right now I'm looking for
>>                     any way to prevent
>>                     access to these (very dangerous I think) commands.
>>
>>                     On 9 December 2016 at 12:08, Jean-Baptiste Onofré
>>                     <jb@nanthrax.net <mailto:jb@nanthrax.net>
>>                     <mailto:jb@nanthrax.net <mailto:jb@nanthrax.net>>>
>>
>>                     wrote:
>>
>>                         Hi Paul,
>>
>>                         So basically, you want RBAC on the webconsole.
>>                     Correct ?
>>
>>                         It's not possible today without changing the
>>                     webconsole. It's a good
>>                         idea to add such feature.
>>
>>                         Regards
>>                         JB
>>
>>
>>                         On 12/09/2016 12:52 PM, Paul McCulloch wrote:
>>
>>                             Hi,
>>
>>                             I'm trying to prevent access to shell:exec
>>                     from the console to
>>                             try and
>>                             harden my karaf install.
>>
>>                             I can revoke access from an admin user with
>>                     "config:property-set -p
>>                             org.apache.karaf.command.acl.shell exec
>>                     uberadmin". I can also
>>                             prevent
>>                             the user from using config:property-set from
>>                     restoring the
>>                             permissions.
>>
>>                             What I can't seem to do is prevent an admin
>>                     user from restoring
>>                             permissions via the web console's
>>                     Configuration gui.
>>
>>                             I want to permit remote access to the web
>>                     console, but I don't
>>                             want to
>>                             give users the ability to run arbitrary
>>                     commands on the server.
>>
>>                             Thanks,
>>
>>                             Paul
>>
>>
>>                         --
>>                         Jean-Baptiste Onofré
>>                         jbonofre@apache.org <mailto:jbonofre@apache.org>
>>                     <mailto:jbonofre@apache.org
>>                     <mailto:jbonofre@apache.org>>
>>                         http://blog.nanthrax.net
>>                         Talend - http://www.talend.com
>>
>>
>>
>>                 --
>>                 Jean-Baptiste Onofré
>>                 jbonofre@apache.org <mailto:jbonofre@apache.org>
>>                 http://blog.nanthrax.net
>>                 Talend - http://www.talend.com
>>
>>
>>
>>
>>
>>         --
>>         http://about.me/milen
>>
>>
>>
>>
>>     --
>>
>>     Apache Member
>>     Apache Karaf <http://karaf.apache.org/> Committer & PMC
>>     OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/
>>     <http://wiki.ops4j.org/display/paxweb/Pax+Web/>> Committer & Project
>>     Lead
>>     blog <http://notizblog.nierbeck.de/>
>>     Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
>>
>>     Software Architect / Project Manager / Scrum Master
>>
>>
>>
> --
> Jean-Baptiste Onofré
> jbonofre@apache.org
> http://blog.nanthrax.net
> Talend - http://www.talend.com
>

Mime
View raw message