Red Hat Bugzilla – Bug 805012
rhn-channel: non-trusted admin can unsubscribe child channels in another organization
Last modified: 2012-11-01 12:19:55 EDT
Description of problem:
With rhn-channel tool are you able unsubscribe child channels (-r ) using non-trusted or even any admin credentials.
Admin account can unsubscribe child channels if he knows/guesses child channel lables. Admin is not able to list them ( -L )
During unsubscribe there is no check:
- whether his organization has allowed access to these channels (owning or trusted)
- whether the machine belongs to his organization
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create two non-trusted organization org1 and org2, each having its own admin1 and admin2
2. Under admin1 acount create child channel child1 , org1 has access, org2 doesn't.
3. Under admin1 account subscribe a system to that child channel.
4. With rhn-channel using admin2 credentials do the evil (channel unsubscribe)
# rhn-channel -u admin2 -p pass2 -r -c child1
channel is unsubscribed
channel cannot be unsubsribed, warning/error msg is displayed about that.
(choosing what status has higher priority - no permission to system vs. no permission to channel)
Warning - Channel permissions (copyied from subsribing channels "-a" )
Error communicating with server. The message was:
Error Class Code: 71
Error Class Info:
You do not have subscription permission to the designated channel.
Please refer to your organization's channel or organization
administrators for further details.
An error has occurred while processing your request. If this problem
persists please enter a bug report at bugzilla.redhat.com.
If you choose to submit the bug report, please be sure to include
details of what you were trying to do when this error occurred and
details on how to reproduce this problem.
Error - Machine permissions (copyied from listing child channels "-L")
Error when listing child channels: redstone.xmlrpc.XmlRpcFault: No such system - sid = 1000010010
spacewalk.git master: 558dfcde3ee34429fcb1f68ee23c93f3eb8f70ed
This is Spacewalk bugzilla -- could we have it public?
Moving ON_QA. Packages that address this bugzilla should now be available in yum repos at http://yum.spacewalkproject.org/nightly/
Spacewalk 1.8 has been released: https://fedorahosted.org/spacewalk/wiki/ReleaseNotes18