[jira] [Commented] (KARAF-5330) Default access control list for console allows any user to cat files, and write to files.

[Freeman Fang (JIRA)]

    [ 
https://issues.apache.org/jira/browse/KARAF-5330?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16154728#comment-16154728
 ] 

Freeman Fang commented on KARAF-5330:
-------------------------------------

Hi Tom,

I believe we already have something to avoid this potential  security hole, 
please see this in the etc/system.properties
{code}
#
# By default, if there's no ACL policy for a certain karaf command, this 
command is allowed to access
# without the RBAC. We can change this behavior by enable the following 
property, which means
# if a karaf command has no corresponding ACL then access it must have one of 
the karaf.secured.command.compulsory.roles
#
#karaf.secured.command.compulsory.roles=admin
{code}
you just need enable the karaf.secured.command.compulsory.roles, so that any 
command without ACL protection can only be executed by a certain role

Freeman

> Default access control list for console allows any user to cat files, and 
> write to files.
> -----------------------------------------------------------------------------------------
>
>                 Key: KARAF-5330
>                 URL: https://issues.apache.org/jira/browse/KARAF-5330
>             Project: Karaf
>          Issue Type: Bug
>          Components: karaf-security, karaf-shell
>            Reporter: Tom Quarendon
>            Assignee: Jean-Baptiste Onofré
>             Fix For: 4.2.0, 4.0.10, 4.1.3
>
>
> The shell:cat command has no access control list associated with it in the 
> default configuration.
> The same is true of the "shell:ls" command. There may be other shell: 
> commands too that can provide filesystem access. I don't know whether cd, pwd 
> for example should be secured. "tac" most certainly should.
> This means that any user that can access the ssh console can navigate the 
> filesystem, reading and writing files as they like.
> For example, given the default configuration, if I have a "normal" user and 
> can therefore access the console, I can use shell commands to find our or 
> guess the location of the karaf install (shell:pwd will do that), then cat 
> the contents of the etc/users.properties file and find out all users 
> passwords (in the default configuration the passwords are in plain text). I 
> can also cat the etc/host.key file which would seem undesirable. 
> tac clearly would be a very dangerous command to have access to. It seems 
> likely that I could subvert many things by just writing directly to 
> configuration files using tac. I could, for example, change, or at least 
> invalidate the admin password by rewriting the users.properties file.
> All in all this feels like a major issue.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)