Security Hole: "New Job..." UI button bypasses aclpolicy file entries
Reported by Steven Kluth | July 28th, 2011 @ 02:04 PM | in Rundeck 1.4 (closed)
In a project where an end-user is configured to have read-only access to some job folders, and read/write/create access to others via the .aclpolicy file, enabling the ui/create ACL bypasses the security placed on the read-only folder structure during job creation time, allowing the user to create and execute (one time only) a job in the previously restricted folder space.
Comments and changes to this ticket
-
Steven Kluth July 29th, 2011 @ 09:55 AM
No problem!
Here's the aclpolicy, sanitized.:
--- snip --- description: Developer Access ACLrules:
^(prod1|prod2).*:actions: [none]
^(?!(prod1|prod2)).*:
actions: [workflow_create,workflow_read,workflow_update,workflow_delete,workflow_run,workflow_kill]
by:
group: sg_developers --- snip ---Some more information about the environment:
We're using AD-Integrated security, each RunDeck project corresponds to an application we deploy. Within that project, each environment has a top-level job folder (prod1, prod2, stage, test, etc..)
Our desired outcome is to enable our developers to use the test and stage folders, without letting them have access to the prod1/prod2 items. Once a developer has started creating a job spec anywhere inside the UI, it will allow them to specify a storage path outside of what they would normally be allowed to access, and will allow them to use the "Create and Run" button to execute the job at creation time.
Thanks!
-
Greg Schueler September 7th, 2011 @ 11:29 AM
- Assigned user set to Greg Schueler
- Tag set to aclpolicy, authorization, bug
- Milestone set to Rundeck 1.4
- Milestone order changed from 79 to 0
-
Greg Schueler September 7th, 2011 @ 11:38 AM
- State changed from new to open
will be fixed by #429
-
Greg Schueler September 9th, 2011 @ 04:20 PM
- State changed from open to needs_verification
verify create/create and run job will fail to work if saving to restricted group path
-
Greg Schueler September 14th, 2011 @ 01:52 PM
(from [736eb6b142962a14beafacbf9495992551f935b8]) Add 'create' auth check when creating jobs [#403] [#429]
fix group list to readable jobs when picking group
https://github.com/dtolabs/rundeck/commit/736eb6b142962a14beafacbf9... -
Greg Schueler October 25th, 2011 @ 12:37 PM
- State changed from needs_verification to resolved
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
(DEPRECATED) Please use github issues for issue tracking at http://github.com/dtolabs/rundeck/issues