[
https://issues.apache.org/jira/browse/QPID-4631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13616221#comment-13616221
]
Chuck Rolke commented on QPID-4631:
-----------------------------------
To your question: Yes, a 'deny all all' rule prevents creation of a federation
link by anyone not explicitly granted that permission.
What we are trying to prevent is users innocently allowing link creation in the
absence of a CREATE LINK rule granting that permission.
Prior to this patch link creation is allowed if no ACL file is loaded. Also, if
an ACL file is loaded then link creation is allowed by the usual ACL rules even
though a CREATE LINK rule does not exist.
In this patch a rule like 'allow all all' or 'deny all all' does not contribute
to the presence of a CREATE LINK rule.
The patch forces the create link path in the broker to refer to the ACL file
for a decision and that the ACL file has at least one explicit CREATE LINK
rule. If links are allowed then the customer's rule set explicitly allowed them
and link creation did not happen through a passive ACL approval.
> C++ Broker interbroker links should be protected by ACL
> -------------------------------------------------------
>
> Key: QPID-4631
> URL: https://issues.apache.org/jira/browse/QPID-4631
> Project: Qpid
> Issue Type: Bug
> Components: C++ Broker
> Affects Versions: 0.20
> Reporter: Chuck Rolke
> Assignee: Chuck Rolke
>
> This issue addresses CVE-2012-4446
> Federated interbroker links may be opened by client programs and not just by
> brokers. By default the creation of these links is not protected any formal
> authorization.
> Users concerned about this issue may immediately lock their systems down by
> creating ACL rules that allow links to be created only by authorized users.
> For instance the following ACL rules on each broker would provide the
> lockdown necessary:
> group proxies <id1> <id2> ...
> acl allow proxies create link
> acl deny-log all create link
> A better solution is for the ACL module to deny the creation of links unless
> ACL rules are specified to specifically allow them.
> In pseudo code the solution is in two parts. Part one observes CREATE LINK
> rules in the acl file. Part two authorizes link creation only if ACL is
> loaded, CREATE LINK ACL rules are specified, and the specific user is
> authorized to create the link in question:
> function readAclFile()
> ...
> if (CREATE LINK rules are specified)
> set acl->createLinkFlag
> endif
> ...
> end function
> function brokerCreateLink()
> if (aclLoaded)
> if (acl->createLinkFlag)
> if (acl->authorise(user, create, link, properties))
> <create link allowed>
> else
> <create link denied - not authorized>
> endif
> else
> <create link denied - acl did not specify a create link rule>
> endif
> else
> <create link denied - acl module not loaded>
> endif
> end function
> This Jira will track the implementation of this restriction.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
