Bug 1256790 - cockpit propagated users it never should have
Summary: cockpit propagated users it never should have
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: cockpit
Version: 22
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
Assignee: Peter
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-08-25 12:48 UTC by Dennis Gilmore
Modified: 2016-07-19 20:18 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-07-19 20:18:55 UTC


Attachments (Terms of Use)

Description Dennis Gilmore 2015-08-25 12:48:41 UTC
Description of problem:
In my environment I have a few different machines with cockpit on them. one of the machines has asterisk on it and runs a ftp server so that my polycom phones can get their ftp configs. I have ftp firewalled off to the outside wall and configured ssh on that machine to not allow that user to ssh in. I use freeipa for propagating users to different machines. 

I think I had miss understood the copy user configuration option in cockpit, I thought it would copy to the other machines the info about the hosts that cockpit knows about so if i log into any machine it will have all the hosts and I would not have to add them all again.

Because of the copying of the user spammers were able to use a server to send a lot of spam. 

I think that option should be removed, at the least it needs to be much clearer about what it is doing and not leave things up to user interpretation.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Stef Walter 2015-10-19 10:25:20 UTC
Peter is working on this as part of this:

https://trello.com/c/0B6y8SXP/216-better-workflow-for-adding-machines

Comment 2 Eric Christensen 2015-10-29 14:35:22 UTC
Is this a security issue or a documentation issue?

Comment 3 Peter 2015-10-29 14:41:18 UTC
It probably should have been better documented but instead we are reworking the UI to allow selection of which users to copy instead of copying them all automatically.

You can follow the upstream work here:
https://github.com/cockpit-project/cockpit/pull/3018

Comment 4 Eric Christensen 2015-10-29 15:03:44 UTC
If it's okay with you I'll remove the security status of this bug, then, and call it a documentation problem (no CVE).

Comment 5 Peter 2015-10-29 15:18:56 UTC
I think that makes sense.

Comment 6 Peter 2015-11-20 21:21:16 UTC
This was fixed upstream. Should be in the next release

Comment 7 Fedora End Of Life 2016-07-19 20:18:55 UTC
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.