805012 – rhn-channel: non-trusted admin can unsubscribe child channels in another organization

Bug 805012 - rhn-channel: non-trusted admin can unsubscribe child channels in another organization

Summary: rhn-channel: non-trusted admin can unsubscribe child channels in another orga...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Spacewalk
Classification:	Community
Component:	Clients
Sub Component:
Version:	1.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Milan Zázrivec
QA Contact:	Red Hat Satellite QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	808549 space18
TreeView+	depends on / blocked

Reported:	2012-03-20 12:53 UTC by Lukas Pramuk
Modified:	2012-11-01 16:19 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	808549 (view as bug list)
Environment:
Last Closed:	2012-11-01 16:19:55 UTC
Embargoed:

Attachments	(Terms of Use)

Description Lukas Pramuk 2012-03-20 12:53:49 UTC

Description of problem:
With rhn-channel tool are you able unsubscribe child channels (-r ) using non-trusted or even any admin credentials.

Admin account can unsubscribe child channels if he knows/guesses child channel lables. Admin is not able to list them ( -L )
During unsubscribe there is no check:
- whether his organization has allowed access to these channels (owning or trusted)
- whether the machine belongs to his organization

Version-Release number of selected component (if applicable):
1.7.14-1.el6

How reproducible:
100%

Steps to Reproduce:
1. Create two non-trusted organization org1 and org2, each having its own admin1 and admin2
2. Under admin1 acount create child channel child1 , org1 has access, org2 doesn't.
3. Under admin1 account subscribe a system to that child channel.
4. With rhn-channel using admin2 credentials do the evil (channel unsubscribe)
# rhn-channel -u admin2 -p pass2 -r -c child1

Actual results:
channel is unsubscribed

Expected results:
channel cannot be unsubsribed, warning/error msg is displayed about that.
(choosing what status has higher priority - no permission to system vs. no permission to channel)

Warning - Channel permissions (copyied from subsribing channels "-a" )
---
Error communicating with server. The message was:

Error Class Code: 71
Error Class Info:
You do not have subscription permission to the designated channel.
Please refer to your organization's channel or organization
administrators for further details.
Explanation:
An error has occurred while processing your request. If this problem
persists please enter a bug report at bugzilla.redhat.com.
If you choose to submit the bug report, please be sure to include
details of what you were trying to do when this error occurred and
details on how to reproduce this problem.
---
Error - Machine permissions (copyied from listing child channels "-L")
---
Error when listing child channels: redstone.xmlrpc.XmlRpcFault: No such system - sid = 1000010010
---

Comment 1 Milan Zázrivec 2012-03-30 16:34:45 UTC

spacewalk.git master: 558dfcde3ee34429fcb1f68ee23c93f3eb8f70ed

Comment 2 Jan Pazdziora 2012-06-15 14:01:12 UTC

This is Spacewalk bugzilla -- could we have it public?

Comment 3 Jan Pazdziora 2012-10-30 19:24:34 UTC

Moving ON_QA. Packages that address this bugzilla should now be available in yum repos at http://yum.spacewalkproject.org/nightly/

Comment 4 Jan Pazdziora 2012-11-01 16:19:55 UTC

Spacewalk 1.8 has been released: https://fedorahosted.org/spacewalk/wiki/ReleaseNotes18

Note You need to log in before you can comment on or make changes to this bug.