[jira] [Issue Comment Deleted] (SSHD-731) Vulnerability in SimpleAccessControlSftpEventListener implementation
[
https://issues.apache.org/jira/browse/SSHD-731?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Boris Fridland updated SSHD-731:
Comment: was deleted
(was: Thanks for fast response.
I am trying to use the workaround you suggested, however in Mina 1.3.0, which
is the latest version in Maven repository
(https://mvnrepository.com/artifact/org.apache.sshd/sshd-core) there is no
withFileSystemAccessor method in SftpSubsystemFactory.Builder().
How do you suggest to solve this issue?
Thanks.)
> Vulnerability in SimpleAccessControlSftpEventListener implementation
> -
>
> Key: SSHD-731
> URL: https://issues.apache.org/jira/browse/SSHD-731
> Project: MINA SSHD
> Issue Type: Bug
>Affects Versions: 1.3.0
>Reporter: Boris Fridland
>Assignee: Goldstein Lyor
>Priority: Minor
> Fix For: 1.5.0
>
>
> After implementing sftp access control by overriding
> SimpleAccessControlSftpEventListener and adding it to SftpSubsystemFactory:
> Scenario:
> 1.set SimpleAccessControlSftpEventListener.isModificationAllowed to return
> false
> 2. Establish connection with WinScp
> 3. try to create new file
> expected result: access denied message + no influence on file system
> actual: access denied message, + empty file is written to server disc.
> in addition if existing file is opened, and being saved --> result is that
> file content of is removed.
> Attached configuration code:
> {code:java}
> SftpSubsystemFactory.Builder builder = new SftpSubsystemFactory.Builder();
> builder.addSftpEventListener(new
> SimpleAccessControlSftpEventListener() {
> protected boolean isAccessAllowed(ServerSession session, String
> remoteHandle, Path localPath)
> throws IOException {
> EUserAccessLevel level =
> authorizationManager.getAccessLevel(session.getUsername());
> return level.hasReadAccess();
> }
> protected boolean isModificationAllowed(ServerSession session,
> String remoteHandle, Path localPath)
> throws IOException {
> EUserAccessLevel level =
> authorizationManager.getAccessLevel(session.getUsername());
>return level.hasWriteAccess();
> }
> });
>
> sshd.setSubsystemFactories(Collections.singletonList(builder.build()));
> sshd.setCommandFactory(new ScpCommandFactory());
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Commented] (SSHD-731) Vulnerability in SimpleAccessControlSftpEventListener implementation
[
https://issues.apache.org/jira/browse/SSHD-731?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15896117#comment-15896117
]
Boris Fridland commented on SSHD-731:
-
Thanks for fast response.
I am trying to use the workaround you suggested, however in Mina 1.3.0, which
is the latest version in Maven repository
(https://mvnrepository.com/artifact/org.apache.sshd/sshd-core) there is no
withFileSystemAccessor method in SftpSubsystemFactory.Builder().
How do you suggest to solve this issue?
Thanks.
> Vulnerability in SimpleAccessControlSftpEventListener implementation
> -
>
> Key: SSHD-731
> URL: https://issues.apache.org/jira/browse/SSHD-731
> Project: MINA SSHD
> Issue Type: Bug
>Affects Versions: 1.3.0
>Reporter: Boris Fridland
>Assignee: Goldstein Lyor
>Priority: Minor
> Fix For: 1.5.0
>
>
> After implementing sftp access control by overriding
> SimpleAccessControlSftpEventListener and adding it to SftpSubsystemFactory:
> Scenario:
> 1.set SimpleAccessControlSftpEventListener.isModificationAllowed to return
> false
> 2. Establish connection with WinScp
> 3. try to create new file
> expected result: access denied message + no influence on file system
> actual: access denied message, + empty file is written to server disc.
> in addition if existing file is opened, and being saved --> result is that
> file content of is removed.
> Attached configuration code:
> {code:java}
> SftpSubsystemFactory.Builder builder = new SftpSubsystemFactory.Builder();
> builder.addSftpEventListener(new
> SimpleAccessControlSftpEventListener() {
> protected boolean isAccessAllowed(ServerSession session, String
> remoteHandle, Path localPath)
> throws IOException {
> EUserAccessLevel level =
> authorizationManager.getAccessLevel(session.getUsername());
> return level.hasReadAccess();
> }
> protected boolean isModificationAllowed(ServerSession session,
> String remoteHandle, Path localPath)
> throws IOException {
> EUserAccessLevel level =
> authorizationManager.getAccessLevel(session.getUsername());
>return level.hasWriteAccess();
> }
> });
>
> sshd.setSubsystemFactories(Collections.singletonList(builder.build()));
> sshd.setCommandFactory(new ScpCommandFactory());
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Updated] (SSHD-731) Vanorability in SimpleAccessControlSftpEventListener implementation
[
https://issues.apache.org/jira/browse/SSHD-731?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Boris Fridland updated SSHD-731:
Description:
After implementing sftp access control by overriding
SimpleAccessControlSftpEventListener and adding it to SftpSubsystemFactory:
Scenario:
1.set SimpleAccessControlSftpEventListener.isModificationAllowed to return false
2. Establish connection with WinScp
3. try to create new file
expected result: access denied message + no influence on file system
actual: access denied message, + empty file is written to server disc.
in addition if existing file is opened, and being saved --> result is that file
content of is removed.
Attached configuration code:
SftpSubsystemFactory.Builder builder = new SftpSubsystemFactory.Builder();
builder.addSftpEventListener(new SimpleAccessControlSftpEventListener()
{
protected boolean isAccessAllowed(ServerSession session, String
remoteHandle, Path localPath)
throws IOException {
EUserAccessLevel level =
authorizationManager.getAccessLevel(session.getUsername());
return level.hasReadAccess();
}
protected boolean isModificationAllowed(ServerSession session,
String remoteHandle, Path localPath)
throws IOException {
EUserAccessLevel level =
authorizationManager.getAccessLevel(session.getUsername());
return level.hasWriteAccess();
}
});
sshd.setSubsystemFactories(Collections.singletonList(builder.build()));
sshd.setCommandFactory(new ScpCommandFactory());
Maven dependency
org.apache.sshd
sshd-core
1.3.0
org.apache.sshd
sshd-contrib
1.3.0
was:
After implementing sftp access control by overriding
SimpleAccessControlSftpEventListener and adding it to SftpSubsystemFactory:
Scenario:
1.set SimpleAccessControlSftpEventListener.isModificationAllowed to return false
2. Establish connection with WinScp
3. try to create new file
expected result: access denied message + no influence on file system
actual: access denied message, + empty file is written to server disc.
in addition if existing file is opened, and being saved --> result is that file
content of is removed.
Attached configuration code:
SftpSubsystemFactory.Builder builder = new SftpSubsystemFactory.Builder();
builder.addSftpEventListener(new SimpleAccessControlSftpEventListener()
{
protected boolean isAccessAllowed(ServerSession session, String
remoteHandle, Path localPath)
throws IOException {
EUserAccessLevel level =
authorizationManager.getAccessLevel(session.getUsername());
return level.hasReadAccess();
}
protected boolean isModificationAllowed(ServerSession session,
String remoteHandle, Path localPath)
throws IOException {
EUserAccessLevel level =
authorizationManager.getAccessLevel(session.getUsername());
return level.hasWriteAccess();
}
});
sshd.setSubsystemFactories(Collections.singletonList(builder.build()));
sshd.setCommandFactory(new ScpCommandFactory());
following
> Vanorability in SimpleAccessControlSftpEventListener implementation
>
>
> Key: SSHD-731
> URL: https://issues.apache.org/jira/browse/SSHD-731
> Project: MINA SSHD
> Issue Type: Bug
> Environment:
> org.apache.sshd
> sshd-core
> 1.3.0
>
>
> org.apache.sshd
> sshd-contrib
> 1.3.0
>
>Reporter: Boris Fridland
>
> After implementing sftp access control by overriding
> SimpleAccessControlSftpEventListener and adding it to SftpSubsystemFactory:
> Scenario:
> 1.set SimpleAccessControlSftpEventListener.isModificationAllowed to return
> false
> 2. Establish connection with WinScp
> 3. try to create new file
> expected result: access denied message + no influence on file system
> actual: access denied message, + empty file is written to server disc.
> in addition if existing file is opened, and being saved --> result is that
> file content of is removed.
> Attached configuration code:
> SftpSubsystemFactory.Builder builder = new SftpSubsystemFactory.Builder();
> builder.addSftpEventListener(new
> SimpleAccessControlSftpEventListener() {
> protected boolean isAccessAllowed(ServerSession session, String
> remoteHandle, Path localPath)
> throws IOException {
> EUserAccessLevel level =
>
[jira] [Created] (SSHD-731) Vanorability in SimpleAccessControlSftpEventListener implementation
Boris Fridland created SSHD-731:
---
Summary: Vanorability in SimpleAccessControlSftpEventListener
implementation
Key: SSHD-731
URL: https://issues.apache.org/jira/browse/SSHD-731
Project: MINA SSHD
Issue Type: Bug
Environment:
org.apache.sshd
sshd-core
1.3.0
org.apache.sshd
sshd-contrib
1.3.0
Reporter: Boris Fridland
After implementing sftp access control by overriding
SimpleAccessControlSftpEventListener and adding it to SftpSubsystemFactory:
even when isModificationAllowed function returns fals
Scenario:
1.set isModificationAllowed to return false
2. Establish connection with WinScp
3. try to create new file
expected result: access denied message + no influence on file system
actual: access denied message, + empty file is written to server disc.
in addition if existing file is opened, and being saved --> result is that file
content is removed.
It is huge variability
Attached configuration code:
SftpSubsystemFactory.Builder builder = new SftpSubsystemFactory.Builder();
builder.addSftpEventListener(new SimpleAccessControlSftpEventListener()
{
protected boolean isAccessAllowed(ServerSession session, String
remoteHandle, Path localPath)
throws IOException {
EUserAccessLevel level =
authorizationManager.getAccessLevel(session.getUsername());
if(level.hasReadAccess()) {
return true;
}
return false;
}
protected boolean isModificationAllowed(ServerSession session,
String remoteHandle, Path localPath)
throws IOException {
EUserAccessLevel level =
authorizationManager.getAccessLevel(session.getUsername());
if(level.hasWriteAccess()) {
return true;
}
return false;
}
});
sshd.setSubsystemFactories(Collections.singletonList(builder.build()));
sshd.setCommandFactory(new ScpCommandFactory());
following
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
