yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #15817
[Bug 1309228] Re: [OSSA 2014-015] User gets group auth if same id (CVE-2014-0204)
** Changed in: keystone
Status: Fix Committed => Fix Released
** Changed in: keystone
Milestone: None => juno-1
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1309228
Title:
[OSSA 2014-015] User gets group auth if same id (CVE-2014-0204)
Status in OpenStack Identity (Keystone):
Fix Released
Status in Keystone icehouse series:
Fix Released
Status in OpenStack Security Advisories:
Fix Released
Bug description:
If a user has the same ID as a group and that group has roles granted to it, the user gets the roles (even if they're not in the group).
Note that Keystone typically assigns IDs and with uuid4 you're not
going to get a user with the same ID as a group, but some setups use
LDAP so the IDs come from the LDAP entries.
Here's instructions on how to recreate:
1) Start with LDAP system (set up with devstack)
2) Create a user with an id of suspectid
$ ldapadd -D "cn=Manager,dc=openstack,dc=org" -w "ofs5dac"
dn: cn=suspectid,ou=Users,dc=openstack,dc=org
objectclass: inetorgperson
sn: suspect
userPassword: blkpwd
3) Create a group with an id of suspectid
$ ldapadd -D "cn=Manager,dc=openstack,dc=org" -w "ofs5dac"
dn: cn=suspectid,ou=UserGroups,dc=openstack,dc=org
objectclass: groupOfNames
ou: suspect
member: cn=dumb,dc=nonexistent
$ openstack --os-identity-api=3 --os-auth-url http://localhost:5000/v3
group list
4) Grant a role to the group on a project
$ openstack --os-identity-api=3 --os-auth-url http://localhost:5000/v3
role add --group suspect --project demo admin
5) Get a token as the user, notice that the user has the group's
access.
$ curl -s \
-H "Content-Type: application/json" \
-d '
{ "auth": {
"passwordCredentials": {
"username": "suspect",
"password": "blkpwd"
},
"tenantName": "demo"
}
}' \
http://localhost:35357/v2.0/tokens | python -m json.tool
---
"roles": [
{
"name": "admin"
}
],
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1309228/+subscriptions