Bug 587864 - ACL policy doesn't permit certain characters in usernames added to groups
Summary: ACL policy doesn't permit certain characters in usernames added to groups
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-cpp
Version: Development
Hardware: All
OS: Linux
high
medium
Target Milestone: 1.3
: ---
Assignee: Rajith Attapattu
QA Contact: ppecka
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-01 07:51 UTC by Tim Powers
Modified: 2010-10-20 11:32 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Adds a completely untested checkUserName function to allow for both normal-ish usernames as well as kerberos host/service principles (1.99 KB, patch)
2010-05-01 07:51 UTC, Tim Powers
no flags Details | Diff

Description Tim Powers 2010-05-01 07:51:49 UTC
Created attachment 410648 [details]
Adds a completely untested checkUserName function to allow for both normal-ish usernames as well as kerberos host/service principles

Description of problem:
While trying to add a host principle to a group the acl policy file fails to load and prevents qpidd from running.

Version-Release number of selected component (if applicable):
0.7.929717-1.el5

How reproducible:
Fails every time.

Steps to Reproduce:
1. Add a host or service principle to a group in the acl file. Something like this will suffice:
  group somegroup host/somemachine.example.com
  
Actual results:
Failure to start. Error message is:
Daemon startup failed: Could not read ACL file ACL format error: /etc/qpid/policy.acl:25: Name "host/somemachine.example.com" contains illegal characters.

Expected results:
Should load and parse the group cleanly.

Comment 1 Rajith Attapattu 2010-05-12 13:34:06 UTC
I have checked in a fix upstream at rev 943351
This also contains test cases and improved error reporting.

Comment 2 ppecka 2010-05-31 13:29:33 UTC
verified on RHEL 5.5/4.8 - i386/x86_64:

rpm -qa | grep -E '(qpid|ais|sesame)' | sort -n
openais-0.80.6-16.el5_5.1
openais-debuginfo-0.80.6-16.el5_5.1
openais-devel-0.80.6-16.el5_5.1
python-qpid-0.7.946106-1.el5
qpid-cpp-client-0.7.946106-1.el5
qpid-cpp-client-devel-0.7.946106-1.el5
qpid-cpp-client-devel-docs-0.7.946106-1.el5
qpid-cpp-client-ssl-0.7.946106-1.el5
qpid-cpp-server-0.7.946106-1.el5
qpid-cpp-server-cluster-0.7.946106-1.el5
qpid-cpp-server-devel-0.7.946106-1.el5
qpid-cpp-server-ssl-0.7.946106-1.el5
qpid-cpp-server-store-0.7.946106-1.el5
qpid-cpp-server-xml-0.7.946106-1.el5
qpid-java-client-0.7.946106-3.el5
qpid-java-common-0.7.946106-3.el5
qpid-tools-0.7.946106-4.el5
rh-tests-distribution-MRG-Messaging-qpid_common-1.6-27
sesame-0.7.3918-2.el5

--> VERIFIED


Note You need to log in before you can comment on or make changes to this bug.