+++ This bug was initially created as a clone of Bug #959457 +++ Description of problem: The backend/satellite_exporter/handlers/non_auth_dumper.py calls don't check the authenticity of the client, beyond the initial /SAT authentication.check done in backend/server/handlers/sat/auth.py. With a trivially modified satellite-sync client which skips the initial /SAT call, any client machine can get any channel content from any Satellite it can access via HTTP(S). Version-Release number of selected component (if applicable): Reproduced on sqpacewalk-nightly. The hole might have been there since the ISS feature was introduced. How reproducible: Deterministic. Steps to Reproduce: 1. Have a Satellite that does not have your client machine's IP in /etc/rhn/rhn.conf's allowed_iss_slaves. 2. In fact, to make things "extra secure", you can set disable_iss=1 too. 3. On client machine (likely another Satellite), apply the following patch to your satsync.py file: --- /usr/lib/python2.4/site-packages/spacewalk/satellite_tools/satsync.py.orig 2013-01-10 07:12:50.000000000 -0500 +++ /usr/lib/python2.4/site-packages/spacewalk/satellite_tools/satsync.py 2013-05-03 10:17:24.000000000 -0400 @@ -454,6 +454,9 @@ else: raise RhnSyncException, _('ERROR: this server must be registered with RHN.'), sys.exc_info()[2] # authorization check of the satellite + xmlWireSource.BaseWireSource(self.systemid, self.sslYN, + self.xml_dump_version) + return auth = xmlWireSource.AuthWireSource(self.systemid, self.sslYN, self.xml_dump_version) auth.checkAuth() 4. Run satellite-sync against the "secured" Satellite: satellite-sync --step=channels --iss-parent=sputnik-prod.brq.redhat.com --no-ssl -l Actual results: 10:28:23 WARNING: --list-channels option overrides any --step option. --step ignored. 10:28:23 Red Hat Network Satellite - live synchronization 10:28:23 url: http://sputnik-prod.brq.redhat.com 10:28:23 debug/output level: 1 10:28:23 db: spaceuser/<password>@the_oracle 10:28:23 10:28:23 Retrieving / parsing channel-families data 10:28:24 channel-families data complete 10:28:24 10:28:24 Retrieving / parsing product names data 10:28:25 product names data complete 10:28:25 10:28:25 Retrieving / parsing channel data 10:28:40 p = previously imported/synced channel 10:28:40 . = channel not yet imported/synced 10:28:40 e = channel no longer supported (end-of-service) 10:28:40 base-channels: 10:28:40 . clone-3-rhel-x86_64-server-5 2825 full import from Fri May 3 16:23:03 2013 10:28:40 . clone-clone-3-rhel-x86_64-server-5 2825 full import from Fri May 3 16:22:55 2013 10:28:40 . clone-rhel-x86_64-server-6 3430 full import from Fri May 3 16:23:27 2013 10:28:40 . jhutar-bz812053 0 full import from Fri May 3 16:23:16 2013 10:28:40 . jtesar-dup-test 1 full import from Fri May 3 16:23:10 2013 10:28:40 . jtesar-rhel-i386-server-5 10692 full import from Fri May 3 16:23:27 2013 10:28:40 . prod-clone-rhel-x86_64-client-5 1897 full import from Fri May 3 16:23:22 2013 10:28:40 . qa-clone-rhel-x86_64-client-5 10004 full import from Fri May 3 16:22:57 2013 10:28:40 . rhel-i386-client-5 9352 full import from Fri May 3 16:23:13 2013 [...] Expected results: 10:16:31 WARNING: --list-channels option overrides any --step option. --step ignored. 10:16:31 Red Hat Network Satellite - live synchronization 10:16:31 url: http://sputnik-prod.brq.redhat.com 10:16:31 debug/output level: 1 10:16:31 10:16:31 ERROR: The Server listed within iss-parent is not configured for ISS capability. Please review your configuration before trying again. Additional info: We show this with -l above but I believe even syncing the content will run just fine.
Fixed in commit 99771bb4759079291a852daec60a7f5afa0e40eb
Fix for this bug is present in Spacewalk 2.0, closing this bug as CURRENTRELEASE.