Bug 536105 - (RHQ-491) group definitions can be used to show password fields from plugin/resource config
group definitions can be used to show password fields from plugin/resource co...
Status: CLOSED NEXTRELEASE
Product: RHQ Project
Classification: Other
Component: Resource Grouping (Show other bugs)
1.0
All All
medium Severity medium (vote)
: ---
: ---
Assigned To: Joseph Marques
Jeff Weiss
http://jira.rhq-project.org/browse/RH...
: SubBug
: CVE-2008-5083 (view as bug list)
Depends On:
Blocks: RHQ-399
  Show dependency treegraph
 
Reported: 2008-05-15 17:17 EDT by Charles Crouch
Modified: 2015-02-01 18:25 EST (History)
3 users (show)

See Also:
Fixed In Version: 1.2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Charles Crouch 2008-05-15 17:17:00 EDT
I created a group definition:

resource.type.plugin = JBossAS
resource.type.category = Server
groupby resource.pluginConfiguration[credentials]

and it created a group called:
DynaGroup - groupname ( admin )

where admin is the jmx password used to connect to the JBAS instances. I don't think this credential information is retrievable in plain text from anywhere else in the UI.
Comment 1 Joseph Marques 2008-05-15 19:14:17 EDT
well, i think you can get it as the admin user from any of the various pages available in the /admin/* web context if you're logged in as an admin

there are two options here:

1) make the group definition creation / dynagroup manip only available to inventory managers, which would granted still allow them to do stupid things...though i question what the value of creating this type of group definition would be  ; )
2) make this illegal by preventing expression that contain properties whose type is password

i'm guessing people are going to vote for option 2, but if so then are we going to somehow lock down the /admin/* pages in the same manner?
Comment 2 Charles Crouch 2008-05-16 11:06:34 EDT
I think /admin is sufficiently locked down, only "JON admin" users have access which should exclude the vast majority of users. We should investigate encrypting password properties in the DB.
Comment 3 Joseph Marques 2008-12-09 12:56:01 EST
rev2260 - suppress private property results in dynagroup calculations;
Comment 4 Jeff Weiss 2009-01-13 08:26:43 EST
Verified that no groups are created when using the described definition.  rev2561, windows/oracle
Comment 5 Red Hat Bugzilla 2009-11-10 16:10:25 EST
This bug was previously known as http://jira.rhq-project.org/browse/RHQ-491
Comment 6 Marc Schoenefeld 2010-12-27 09:05:45 EST
*** Bug 476080 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.