zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bhupendra Kumar Jain (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-2591) The deletion of Container znode doesn't check ACL delete permission
Date Sat, 01 Jul 2017 20:21:00 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-2591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16071390#comment-16071390
] 

Bhupendra Kumar Jain commented on ZOOKEEPER-2591:
-------------------------------------------------

Right, But What if the malicious user deletes this node as soon as its get created. In that
case the applications which tries to create children inside this parent node will fail. Its
rare case but quite possible. 


> The deletion of Container znode doesn't check ACL delete permission
> -------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-2591
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2591
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security, server
>            Reporter: Edward Ribeiro
>            Assignee: Edward Ribeiro
>
> Container nodes check the ACL before creation, but the deletion doesn't check  the ACL
rights. The code below succeeds even tough we removed ACL access permissions for "/a".
> {code}
>         zk.create("/a", null, Ids.OPEN_ACL_UNSAFE, CreateMode.CONTAINER);
>         ArrayList<ACL> list = new ArrayList<>();
>         list.add(new ACL(0, Ids.ANYONE_ID_UNSAFE));
>         zk.setACL("/", list, -1);
>         zk.delete("/a", -1);
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message