Bug 1101533 - QMF opcode _query_request bypasses any ACL authorisation
Summary: QMF opcode _query_request bypasses any ACL authorisation
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-cpp
Version: 3.0
Hardware: All
OS: All
medium
medium
Target Milestone: 3.1
: ---
Assignee: Pavel Moravec
QA Contact: Matej Lesko
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-05-27 12:38 UTC by Pavel Moravec
Modified: 2019-07-11 07:58 UTC (History)
5 users (show)

Fixed In Version: qpid-cpp-0.30-2
Doc Type: Bug Fix
Doc Text:
It was discovered that the QMF query "_query_request" bypassed ACL authorization. This allowed any user with minimal privileges to successfully query any object within the broker, regardless of the ACL rule in place for the object. An enhancement adds ACL authorization for the query method, which prevents users from querying objects they do not have permissions for.
Clone Of:
Environment:
Last Closed: 2015-04-14 13:48:07 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Apache JIRA QPID-5817 0 None None None Never
Red Hat Bugzilla 883866 0 medium CLOSED [RFE]: Access control for QMF functionality should be improved 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHEA-2015:0805 0 normal SHIPPED_LIVE Red Hat Enterprise MRG Messaging 3.1 Release 2015-04-14 17:45:54 UTC

Internal Links: 883866

Description Pavel Moravec 2014-05-27 12:38:10 UTC 
Description of problem:
QMF opcode _query_request does not authorize against ACL. That allows any user (that can publish to QMF exchange, create+consume from temp.queue,..) to get details about any broker object.


Version-Release number of selected component (if applicable):
qpid-cpp-0.22-40


How reproducible:
100%


Steps to Reproduce:
1) Start broker with any ACL file you want, with trace+:acl logging
2) run this python script:
#!/usr/bin/python

from qpid.messaging import *

conn = Connection("guest/guest@localhost:5672")
try:
    conn.open()
    ssn = conn.session()
    snd = ssn.sender("qmf.default.direct/broker")
    reply_to = "reply-queue; {create:always, node:{x-declare:{auto-delete:true}}}"
    rcv = ssn.receiver(reply_to)

    content = {
        "_what": "OBJECT",
        "_object_id": {"_object_name": "org.apache.qpid.broker:broker:amqp-broker"}
        }
    request = Message(reply_to=reply_to, content=content)
    request.properties["x-amqp-0-10.app-id"] = "qmf2"
    request.properties["qmf.opcode"] = "_query_request"
    snd.send(request)

    try:
        response = rcv.fetch()
        print response
    except Exception, e:
        print e
except ReceiverError, e:
    print e
except KeyboardInterrupt:
    pass
conn.close()

(optionally, replace _object_id by whatever object you want to query for, i.e. a queue, exchange,..)


Actual results:
Broker provides the response and no ACL check (access queue, access method,..) is made


Expected results:
A new ACL object "request" similar to "method" to be added, or "method" to be applied to _query_request as well.


Additional info:
It would be nice if _query_request can differentiate based on object name or type to be requested. I.e. to have the ability to allow user A to request queue Q1 but not queue Q2 and allow user B to request only exchanges.
Comment 1 Pavel Moravec 2014-05-27 13:37:48 UTC 
All opcodes are:

const string protocol::HEADER_OPCODE_EXCEPTION                    = "_exception";
const string protocol::HEADER_OPCODE_AGENT_LOCATE_REQUEST         = "_agent_locate_request";
const string protocol::HEADER_OPCODE_AGENT_LOCATE_RESPONSE        = "_agent_locate_response";
const string protocol::HEADER_OPCODE_AGENT_HEARTBEAT_INDICATION   = "_agent_heartbeat_indication";
const string protocol::HEADER_OPCODE_QUERY_REQUEST                = "_query_request";
const string protocol::HEADER_OPCODE_QUERY_RESPONSE               = "_query_response";
const string protocol::HEADER_OPCODE_SUBSCRIBE_REQUEST            = "_subscribe_request";
const string protocol::HEADER_OPCODE_SUBSCRIBE_RESPONSE           = "_subscribe_response";
const string protocol::HEADER_OPCODE_SUBSCRIBE_CANCEL_INDICATION  = "_subscribe_cancel_indication";
const string protocol::HEADER_OPCODE_SUBSCRIBE_REFRESH_INDICATION = "_subscribe_refresh_indication";
const string protocol::HEADER_OPCODE_DATA_INDICATION              = "_data_indication";
const string protocol::HEADER_OPCODE_METHOD_REQUEST               = "_method_request";
const string protocol::HEADER_OPCODE_METHOD_RESPONSE              = "_method_response";

Worth checking what others do as well.
Comment 4 Pavel Moravec 2014-06-15 07:16:54 UTC 
Upstream review request: https://reviews.apache.org/r/22606/
Comment 5 Pavel Moravec 2014-06-18 07:43:24 UTC 
Committed as r1603364.
Comment 10 Matej Lesko 2015-03-25 10:52:35 UTC 
Verified for qpid-cpp-0.30-7.
Comment 12 errata-xmlrpc 2015-04-14 13:48:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-0805.html
Note You need to log in before you can comment on or make changes to this bug.