Bug 965809

Summary: Spacewalk allows ISS more than they should
Product: [Community] Spacewalk Reporter: Grant Gainey <ggainey>
Component: ServerAssignee: Grant Gainey <ggainey>
Status: CLOSED CURRENTRELEASE QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 1.10CC: cperry, jhutar, jpazdziora, sclewis, tkasparek, vdanen
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: spacewalk-backend-1.10.34-1 Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: 959457 Environment:
Last Closed: 2013-08-02 13:11:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 959457    
Bug Blocks: 959524, 991452    

Description Grant Gainey 2013-05-21 19:16:59 UTC 
+++ This bug was initially created as a clone of Bug #959457 +++

Description of problem:

The backend/satellite_exporter/handlers/non_auth_dumper.py calls don't check the authenticity of the client, beyond the initial /SAT authentication.check done in backend/server/handlers/sat/auth.py. With a trivially modified satellite-sync client which skips the initial /SAT call, any client machine can get any channel content from any Satellite it can access via HTTP(S).

Version-Release number of selected component (if applicable):

Reproduced on sqpacewalk-nightly. The hole might have been there since the ISS feature was introduced.

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have a Satellite that does not have your client machine's IP in /etc/rhn/rhn.conf's allowed_iss_slaves.
2. In fact, to make things "extra secure", you can set disable_iss=1 too.
3. On client machine (likely another Satellite), apply the following patch to your satsync.py file:

--- /usr/lib/python2.4/site-packages/spacewalk/satellite_tools/satsync.py.orig	2013-01-10 07:12:50.000000000 -0500
+++ /usr/lib/python2.4/site-packages/spacewalk/satellite_tools/satsync.py	2013-05-03 10:17:24.000000000 -0400
@@ -454,6 +454,9 @@
                 else:
                     raise RhnSyncException, _('ERROR: this server must be registered with RHN.'), sys.exc_info()[2]
             # authorization check of the satellite
+            xmlWireSource.BaseWireSource(self.systemid, self.sslYN,
+                                                self.xml_dump_version)
+            return
             auth = xmlWireSource.AuthWireSource(self.systemid, self.sslYN,
                                                 self.xml_dump_version)
             auth.checkAuth()

4. Run satellite-sync against the "secured" Satellite: satellite-sync --step=channels --iss-parent=sputnik-prod.brq.redhat.com --no-ssl -l
  
Actual results:

10:28:23 WARNING: --list-channels option overrides any --step option. --step ignored.
10:28:23 Red Hat Network Satellite - live synchronization
10:28:23    url: http://sputnik-prod.brq.redhat.com
10:28:23    debug/output level: 1
10:28:23    db:  spaceuser/<password>@the_oracle
10:28:23 
10:28:23 Retrieving / parsing channel-families data
10:28:24 channel-families data complete
10:28:24 
10:28:24 Retrieving / parsing product names data
10:28:25 product names data complete
10:28:25 
10:28:25 Retrieving / parsing channel data
10:28:40    p = previously imported/synced channel
10:28:40    . = channel not yet imported/synced
10:28:40    e = channel no longer supported (end-of-service)
10:28:40    base-channels:
10:28:40       . clone-3-rhel-x86_64-server-5             2825       full import from Fri May  3 16:23:03 2013
10:28:40       . clone-clone-3-rhel-x86_64-server-5       2825       full import from Fri May  3 16:22:55 2013
10:28:40       . clone-rhel-x86_64-server-6               3430       full import from Fri May  3 16:23:27 2013
10:28:40       . jhutar-bz812053                             0       full import from Fri May  3 16:23:16 2013
10:28:40       . jtesar-dup-test                             1       full import from Fri May  3 16:23:10 2013
10:28:40       . jtesar-rhel-i386-server-5                10692       full import from Fri May  3 16:23:27 2013
10:28:40       . prod-clone-rhel-x86_64-client-5          1897       full import from Fri May  3 16:23:22 2013
10:28:40       . qa-clone-rhel-x86_64-client-5            10004       full import from Fri May  3 16:22:57 2013
10:28:40       . rhel-i386-client-5                       9352       full import from Fri May  3 16:23:13 2013

[...]

Expected results:

10:16:31 WARNING: --list-channels option overrides any --step option. --step ignored.
10:16:31 Red Hat Network Satellite - live synchronization
10:16:31    url: http://sputnik-prod.brq.redhat.com
10:16:31    debug/output level: 1
10:16:31 
10:16:31 
ERROR: The Server listed within iss-parent is not configured for ISS 
       capability.
       Please review your configuration before trying again.

Additional info:

We show this with -l above but I believe even syncing the content will run just fine.
Comment 1 Grant Gainey 2013-05-28 13:55:33 UTC 
Fixed in commit 99771bb4759079291a852daec60a7f5afa0e40eb
Comment 2 Tomáš Kašpárek 2013-08-02 13:11:15 UTC 
Fix for this bug is present in Spacewalk 2.0, closing this bug as CURRENTRELEASE.