Bug 1410916
Summary: | Should only be able to add repositories you have access to | |||
---|---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Stuart Auchterlonie <sauchter> | |
Component: | Repositories | Assignee: | Justin Sherrill <jsherril> | |
Status: | CLOSED ERRATA | QA Contact: | Stephen Wadeley <swadeley> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 6.2.6 | CC: | andrew.schofield, anrussel, avroy, baitken, bbuckingham, bkearney, bmidwood, christian.klier, cmarinea, dhlavacd, ehelms, iballou, jsherril, jturel, kabbott, kdixon, rjerrido, suarora | |
Target Milestone: | 6.8.0 | Keywords: | PrioBumpGSS, Security, Triaged | |
Target Release: | Unused | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | rubygem-katello-3.16.0-0.16.rc4.1 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1436209 1862235 (view as bug list) | Environment: | ||
Last Closed: | 2020-10-27 12:57:17 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1316897, 1434106, 1436209 |
Description
Stuart Auchterlonie
2017-01-06 20:44:23 UTC
Created redmine issue http://projects.theforeman.org/issues/18035 from this bug *** Bug 1429590 has been marked as a duplicate of this bug. *** Upstream bug assigned to bbuckingham Upstream bug assigned to bbuckingham Thank you for reporting this issue. I've been able to reproduce it and make some determinations about what is happening. The resource described (repository) is part of Katello. Unfortunately, it appears that all Katello resources would exhibit this behavior due to the fact that we are not completely integrated with the Foreman authentication scheme (or any other scheme would would verify the user's role 'search' filters). Getting this working, though we've identified a feasible approach, requires a wide and significant number of changes. Due to the timing and risk I'm setting this back to NEW until we can figure out when to address the problem. *** Bug 1467291 has been marked as a duplicate of this bug. *** I'd like to ask that we consider this for a 6.3.z release formally. This does make our RBAC controls look rather ineffective as this exploit directly ignores them. Given that we want people to trust our RBAC controls, I think that we need to consider the perception issue here and push to get this fixed asap. I understand that this is a LOW vulnerability due to the fact that it's unlikely to be exploited in any meaningful way, but there is definitely a perception issue that is caused by this ignorance of the Satellite RBAC model. Cheers, Karl Karl, Unfortunately, due to the extent of the changes that are going to be required to address this, 6.3.z is very unlikely. That said, once we have a fix in place we can assess the feasibility of backporting. *** Bug 1436209 has been marked as a duplicate of this bug. *** *** Bug 1276769 has been marked as a duplicate of this bug. *** Upstream bug assigned to jsherril Upstream bug assigned to jsherril Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Satellite 6.8 release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:4366 |