Re: [cobbler-devel] authz_ownership not checking permissions correctly on system creation

Thu, 13 Aug 2015 09:28:09 -0700 

On 12.08.2015 [16:55:31 +0000], Kyle Flavin wrote:
> I've been experimenting with the ownership features in Cobbler, using the 
> authz_ownership module.
> My users.conf looks like this:
> [admins]
> admin = ""
> cobbler = ""
> 
> [mygroup]
> myuser = ""
> I'm seeing a problem where "myuser" can edit systems in the WebUI,
> owned by "mygroup" that already exist, but "myuser" can't create new
> systems. I get an authorization error, that seems to be tied back to
> item_system.py, which loads the obj.owners as the string "<<inherit>>"
> for a new system object (even if I try to create the object with group
> "mygroup").  The function __is_user_allowed() seems to expect a list
> here, and ends up iterating over this string, and incorrectly checks
> for user/group matches against each character in the string - ie: "<".
> Not sure if this is a known issue? I'm running 2.6.9 on my server
> (latest from the EPEL repos), but it looks like it's unchanged in the
> latest version up on github as well.  Is this a bug?

I think so. I've noticed that several times in the code, "<<inherit>>"
needs to be special-cased or violates assumptions (like obj.owners is a
list not a string). The change below might fix it. Care to open an issue
on github? And I can send a fix via github (nacc is my user on there, if
you can subscribe when you file it).

> The code snippet is here.  When creating a system, obj.owners is a
> string containing "<<inherit>>":
> def __is_user_allowed(obj, groups, user, resource, arg1, arg2):
>     if user == "<DIRECT>":
>         # system user, logged in via web.ss
>         return True
>     for group in groups:
>         if group in [ "admins", "admin" ]:
>             return True
>     if obj.owners == []:
>         return True

      if obj.owners == "<<inherit>>":
          return __is_user_allowed(obj.get_conceptual_parent(), groups,
user, resource, arg1, arg2)

>     for allowed in obj.owners:
>         if user == allowed:
>            # user match
>            return True
>         # else look for a group match
>         for group in groups:
>             if group == allowed:
>                 return True
>     return 0

Should this ^^ be False?

> Thanks,
> Kyle
> 
> 

> _______________________________________________
> cobbler-devel mailing list
> cobbler-devel@lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/cobbler-devel

_______________________________________________
cobbler-devel mailing list
cobbler-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/cobbler-devel

Reply via email to