Description of problem: Action Chaining suffers from the serious security flaw: user can edit and/or schedule an action chain that was created by an administrator. Even more in pending action details there is no evidence about that. It says - Scheduler: admin. Version-Release number of selected component (if applicable): Satellite-5.7.0-RHEL6-re20141015.0 How reproducible: 100% Steps to Reproduce: 1.create both admin and user account 2.as admin user schedule action and add it to an action chain 3.then logged as a user navigate to Schedule -> Action Chains -> choose the chain created by admin 4. exhibit some maliciousness: edit it and then bingo: schedule it !!! Actual results: other users can edit a schedule admin's action chains Expected results: proper perms separation (user shouldn't even see an admin's chain?)
ActionChains and ActionChainEntries are visible only to their creator spacewalk commit 905cf177b447697a713d80d08c123f63e5a4003c
SW version spacewalk-java-2.3.69-1
SW commit ffa27114e884dc3080163a53852d9ff10d7c3459 spacewalk-java-2.3.70-1
Verified with spacewalk-java-2.3.8-75.el6sat.noarch
With the release of Red Hat Satellite 5.7 on January 12th 2015 this bug is being moved to a Closed Current Release state. The Satellite 5.7 GA Errata: - https://rhn.redhat.com/errata/RHSA-2015-0033.html Satellite 5.7 Release Notes: - https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/5.7/html-single/Release_Notes/index.html Satellite Customer Portal Blog announcement for release: - https://access.redhat.com/blogs/1169563/posts/1315743 Cliff NOTE: This bug has not been re-verified (moved to RELEASE_PENDING) prior to release. We assume that the bug has indeed been fixed and not regressed since we initially verified it. Please re-open in the future if needed.