896074 – CLI - user without access can call "system remove_deletion" command.

Bug 896074 - CLI - user without access can call "system remove_deletion" command.

Summary: CLI - user without access can call "system remove_deletion" command.

Keywords:
Status:	CLOSED DUPLICATE of bug 991634
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Hammer
Sub Component:
Version:	Nightly
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	Unspecified
Assignee:	Adam Price
QA Contact:	Katello QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	CVE-2013-4201
TreeView+	depends on / blocked

Reported:	2013-01-16 15:00 UTC by Hayk Hovsepyan
Modified:	2014-09-18 17:01 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-08-03 05:12:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Hayk Hovsepyan 2013-01-16 15:00:32 UTC

Description of problem:
When user without remove system permissions calls CLI command "system remove_deletion", it finishes successfully without any warning.

Version-Release number of selected component (if applicable):
katello-glue-candlepin-1.3.3-1.git.9.9377ddb.el6.noarch
katello-candlepin-cert-key-pair-1.0-1.noarch
katello-repos-1.3.2-1.el6.noarch
katello-configure-1.3.3-1.git.5.0f1d8f6.el6.noarch
katello-glue-foreman-1.3.3-1.git.9.9377ddb.el6.noarch
katello-agent-1.1.3-1.el6.noarch
katello-selinux-1.3.1-1.el6.noarch
katello-1.3.3-1.git.9.9377ddb.el6.noarch
katello-qpid-client-key-pair-1.0-1.noarch
katello-cli-1.3.3-1.el6.noarch
katello-certs-tools-1.1.9-1.el6.noarch
katello-common-1.3.3-1.git.9.9377ddb.el6.noarch
katello-glue-pulp-1.3.3-1.git.9.9377ddb.el6.noarch
katello-qpid-broker-key-pair-1.0-1.noarch
katello-cli-common-1.3.3-1.el6.noarch

How reproducible:
always

Steps to Reproduce:
1.Register a new system.
2.Create a user without rights to remove system (org or global).
3.From UI delete that system by admin user.
4.In CLI, call "system remove_deletion" command by newly created user. You will see that no error message is shown and system is removed, which is bug.
  
Actual results:
System is removed when user has not permissions to remove it.

Expected results:
Error message should be thrown indicating that current user has not permission to call that command.

Comment 1 Lukas Zapletal 2013-01-22 12:14:41 UTC

Ok, this is the test we do in Katello:

      when :api_proxy_consumer_deletionrecord_delete_path
        if !User.consumer?
          consumer_gone, consumer_live = false
          begin
            Resources::Candlepin::Consumer.get params[:id] # check with candlepin if system is Gone, raises RestClient::Gone
            # a 200 means the system exists. the deletion record wont exist, but its
            # not a permissions error
            consumer_live = true
          rescue RestClient::Gone
            # the correct response is a 410, since the system has been deleted
            consumer_gone = true
          end
        end
        User.consumer? || consumer_gone || consumer_live

Obviously we pass non-consumer users which is a security issue (consumer_live is true).

@Jordan - can you please guide me what was the idea behind consumer_live variable?

Comment 2 Jordan OMara 2013-01-22 15:29:33 UTC

This code was modified to allow non-consumer access to the deletion record; IE letting a user directly remove a system's deletion record

the consumer_live means the system is currently active; consumer_gone means the system has been deleted (and thus should have a deletion record)

I think the issue is that if the user is NOT a consumer, we need to perform an additional check

1. load katello system object based on candlepin id,
2. ensure "system.editable?" for that system

Something like:

User.consumer? || (system.editable? && (consumer_gone || consumer_live))

Comment 3 Lukas Zapletal 2013-01-23 15:26:15 UTC

Nice catch!

Fixed:

https://github.com/Katello/katello/pull/1449

[root@bb ~]# katello --user nobody --pass nobody system remove_deletion --uuid d6e48043-46f1-4ee1-9eab-b4923a92a55b
User nobody is not allowed to access api/candlepin_proxies/delete

Comment 4 Hayk Hovsepyan 2013-01-29 16:29:08 UTC

Now for katello latest build when "admin" calls that command it says: "User admin is not allowed to access api/candlepin_proxies/delete".
Should not "Admin" user still have access to call "system remove_deletion"?

Comment 5 Hayk Hovsepyan 2013-04-16 09:27:12 UTC

Tested on revision:
katello-qpid-broker-key-pair-1.0-1.noarch
katello-all-1.4.1-1.git.9.ff9a101.el6.noarch
katello-repos-1.4.1-1.el6.noarch
katello-certs-tools-1.4.1-1.el6.noarch
katello-configure-1.4.1-1.el6.noarch
katello-glue-candlepin-1.4.1-1.git.9.ff9a101.el6.noarch
katello-candlepin-cert-key-pair-1.0-1.noarch
katello-cli-1.4.1-1.el6.noarch
katello-selinux-1.4.1-1.el6.noarch
katello-glue-pulp-1.4.1-1.git.9.ff9a101.el6.noarch
katello-agent-1.4.1-1.el6.noarch
katello-glue-elasticsearch-1.4.1-1.git.9.ff9a101.el6.noarch
katello-1.4.1-1.git.9.ff9a101.el6.noarch
katello-cli-common-1.4.1-1.el6.noarch
katello-common-1.4.1-1.git.9.ff9a101.el6.noarch
katello-qpid-client-key-pair-1.0-1.noarch

The main bug still exists:
1.Register a new system.
2.Create a user without rights to remove system (org or global).
3.Unregister that system.
4.In CLI, call "system remove_deletion" command by newly created user. You will see that no error message is shown and system is removed, which is bug.

Comment 7 Adam Price 2013-07-29 21:29:22 UTC

https://github.com/Katello/katello/pull/2695

Comment 8 Kurt Seifried 2013-08-03 05:12:29 UTC

CLosing of duplicate of the tool generated tracking bugs (will create less problems then trying to convert this bug to a tracker).

*** This bug has been marked as a duplicate of bug 991634 ***

Note You need to log in before you can comment on or make changes to this bug.