Alena Prokharchyk created CLOUDSTACK-287:
--------------------------------------------
Summary: Security bug: System user doesn't have any password
Key: CLOUDSTACK-287
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-287
Project: CloudStack
Issue Type: Bug
Affects Versions: 4.0.0
Reporter: Alena Prokharchyk
Assignee: Alena Prokharchyk
Priority: Critical
Fix For: 4.0.0
During the cloudStack installation and db setup, the System account/user are
inserted to the DB. These account/user are dedicated for system
actions(background clenaup threads as example), events, objects (SSVM and CPVM
belong to system account). Plus when API request comes from 8096 port, we don't
do any sort of authentication, and assume that the caller is the System user.
This all is expected behavior.
The bug is:
* System user doesn't have any password.
* It's possible to login as a System user with no password, and do any API
calls after that
* You can register api/secret keys for the System user, and do any API request
as this user using api/secret key authentication
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
