Bug 805012
| Summary: | rhn-channel: non-trusted admin can unsubscribe child channels in another organization | |||
|---|---|---|---|---|
| Product: | [Community] Spacewalk | Reporter: | Lukas Pramuk <lpramuk> | |
| Component: | Clients | Assignee: | Milan Zázrivec <mzazrivec> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Red Hat Satellite QA List <satqe-list> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 1.7 | CC: | cperry, jpazdziora | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 808549 (view as bug list) | Environment: | ||
| Last Closed: | 2012-11-01 16:19:55 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 808549, 871344 | |||
spacewalk.git master: 558dfcde3ee34429fcb1f68ee23c93f3eb8f70ed This is Spacewalk bugzilla -- could we have it public? Moving ON_QA. Packages that address this bugzilla should now be available in yum repos at http://yum.spacewalkproject.org/nightly/ Spacewalk 1.8 has been released: https://fedorahosted.org/spacewalk/wiki/ReleaseNotes18 |
Description of problem: With rhn-channel tool are you able unsubscribe child channels (-r ) using non-trusted or even any admin credentials. Admin account can unsubscribe child channels if he knows/guesses child channel lables. Admin is not able to list them ( -L ) During unsubscribe there is no check: - whether his organization has allowed access to these channels (owning or trusted) - whether the machine belongs to his organization Version-Release number of selected component (if applicable): 1.7.14-1.el6 How reproducible: 100% Steps to Reproduce: 1. Create two non-trusted organization org1 and org2, each having its own admin1 and admin2 2. Under admin1 acount create child channel child1 , org1 has access, org2 doesn't. 3. Under admin1 account subscribe a system to that child channel. 4. With rhn-channel using admin2 credentials do the evil (channel unsubscribe) # rhn-channel -u admin2 -p pass2 -r -c child1 Actual results: channel is unsubscribed Expected results: channel cannot be unsubsribed, warning/error msg is displayed about that. (choosing what status has higher priority - no permission to system vs. no permission to channel) Warning - Channel permissions (copyied from subsribing channels "-a" ) --- Error communicating with server. The message was: Error Class Code: 71 Error Class Info: You do not have subscription permission to the designated channel. Please refer to your organization's channel or organization administrators for further details. Explanation: An error has occurred while processing your request. If this problem persists please enter a bug report at bugzilla.redhat.com. If you choose to submit the bug report, please be sure to include details of what you were trying to do when this error occurred and details on how to reproduce this problem. --- Error - Machine permissions (copyied from listing child channels "-L") --- Error when listing child channels: redstone.xmlrpc.XmlRpcFault: No such system - sid = 1000010010 ---