Menu
▾
▴
Re: [Exist-development] And yet another security/Ant issue...IT's A BUG IN SECURITY!
|
From: Dmitriy S. <sha...@gm...> - 2011-05-01 04:40:31
|
fixed by http://exist.svn.sourceforge.net/exist/?rev=14356&view=rev for future, you can answer my question or spend a lot of time to explain that you are right, result will be same :-) You did start with problem around xquery script, that can be because of two different places, I did ask the question to understand what place is making troubles .... On Sat, Apr 30, 2011 at 9:14 PM, Andrzej Jan Taramina <an...@ch...>wrote: > Dmitry: > > > That is not a security issue if you see it in DBA group. Did you check > user from running script? > > (let's say one line before file:directory-list) > > THIS IS A BUG IN SECURITY!!!!!! > > If you have noticed over the past few years, when I report a bug, I > typically have done a lot of > testing prior to mentioning it, to be sure that it's a bug, and to provide > enough information to > allow for the replication of the problem. > > If you create a new user in the dba group using the Ant adduser task as > follows: > > <target name="create-users-test" depends="init" description="add test user > for Dmitry"> > <exist:adduser failonerror="false" uri="${exist.url}/xmlrpc/db" > user="admin" > password="adminpswd" name="test" secret="test" home="/db" > primaryGroup="dba"/> > > <exist:users failonerror="false" uri="${exist.url}/xmlrpc/db" > user="admin" > password="adminpswd" outputproperty="users"/> > > <echo>eXist Users: ${users}</echo> > > </target> > > (change adminpswd to whatever your admin users password really is) > > Then the user is created, and is part of the dba group. > > If you then try to immediately log in as that user and do something that > requires DBA permissions, > it will fail. Try logging in as test on the admin web page and try to do a > shutdown or list running > jobs. The request will fail telling you that your user (test in my example) > does not have DBA > permissions. > > I did a bit more testing today. If you shut down and restart eXist after > you add the user, then > things will work properly. That is, if you then log in as test, you can > perform dba-restricted things. > > If you add a user using the Admin web page, the same thing happens. You > have to restart the database > before it will show as having DBA permissions. So this bug is not > restricted to just the Ant task > implementation of adduser. > > So there is a bug in the security implementation, probably do to with how > user credentials are > cached, since a restart seems to fix the issue. > > This is all on the latest/greatest trunk as of this morning. And it wasn't > there before you > implemented the new security scheme. > > So let me repeat myself so that you understand: > > THIS IS A BUG IN SECURITY!!!!!! > THIS IS A BUG IN SECURITY!!!!!! > THIS IS A BUG IN SECURITY!!!!!! > > Thank you! ;-) > > ....Andrzej > > > You don't seem to understand how the adduser Ant task works. The > user/password attributes are for > > the user that is performing the add. On a new database that would be > the admin user, which has no > > password set, so you provide an empty password. > > > > The user being added is specified by name/secret, in the example > below myuser and the value of the > > Ant variable ${password}. The password is not empty! > > > > The issue is that the myuser is added, with the correct password. > You can log in as that user no > > problem. Both the web and java admin clients show myuser as being in > the "dba" group. > > > > But myuser does not have dba priviledges for some reason which is a > big and a rather serious one in > > my estimation. If I'm logged in as myuser, I cannot do a > file:directory-list( $dir, "*.xml" ) as it > > fails on a permission problem. > > > > This is a bug in the security implementation that needs fixing. > > > > > -- Dmitriy Shabanov |
