Bug 805012 - rhn-channel: non-trusted admin can unsubscribe child channels in another organization
rhn-channel: non-trusted admin can unsubscribe child channels in another orga...
Product: Spacewalk
Classification: Community
Component: Clients (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Milan Zázrivec
Red Hat Satellite QA List
Depends On:
Blocks: 808549 space18
  Show dependency treegraph
Reported: 2012-03-20 08:53 EDT by Lukas Pramuk
Modified: 2012-11-01 12:19 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 808549 (view as bug list)
Last Closed: 2012-11-01 12:19:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Lukas Pramuk 2012-03-20 08:53:49 EDT
Description of problem:
With rhn-channel tool are you able unsubscribe child channels (-r ) using non-trusted or even any admin credentials.

Admin account can unsubscribe child channels if he knows/guesses child channel lables. Admin is not able to list them ( -L )
During unsubscribe there is no check: 
 - whether his organization has allowed access to these channels (owning or trusted)
 - whether the machine belongs to his organization 

Version-Release number of selected component (if applicable):

How reproducible: 

Steps to Reproduce:
1. Create two non-trusted organization org1 and org2, each having its own admin1 and admin2
2. Under admin1 acount create child channel child1 , org1 has access, org2 doesn't.
3. Under admin1 account subscribe a system to that child channel.
4. With rhn-channel using admin2 credentials do the evil (channel unsubscribe)   
# rhn-channel -u admin2 -p pass2 -r -c child1  

Actual results:
channel is unsubscribed

Expected results:
channel cannot be unsubsribed, warning/error msg is displayed about that.
(choosing what status has higher priority - no permission to system vs. no permission to channel)

Warning - Channel permissions (copyied from subsribing channels "-a" )
Error communicating with server. The message was:

Error Class Code: 71
Error Class Info: 
     You do not have subscription permission to the designated channel.
     Please refer to your organization's channel or organization
     administrators for further details.
     An error has occurred while processing your request. If this problem
     persists please enter a bug report at bugzilla.redhat.com.
     If you choose to submit the bug report, please be sure to include
     details of what you were trying to do when this error occurred and
     details on how to reproduce this problem.
Error - Machine permissions (copyied from listing child channels "-L")
Error when listing child channels: redstone.xmlrpc.XmlRpcFault: No such system - sid = 1000010010
Comment 1 Milan Zázrivec 2012-03-30 12:34:45 EDT
spacewalk.git master: 558dfcde3ee34429fcb1f68ee23c93f3eb8f70ed
Comment 2 Jan Pazdziora 2012-06-15 10:01:12 EDT
This is Spacewalk bugzilla -- could we have it public?
Comment 3 Jan Pazdziora 2012-10-30 15:24:34 EDT
Moving ON_QA. Packages that address this bugzilla should now be available in yum repos at http://yum.spacewalkproject.org/nightly/
Comment 4 Jan Pazdziora 2012-11-01 12:19:55 EDT
Spacewalk 1.8 has been released: https://fedorahosted.org/spacewalk/wiki/ReleaseNotes18

Note You need to log in before you can comment on or make changes to this bug.