[
https://issues.apache.org/jira/browse/KARAF-5330?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16155330#comment-16155330
]
Tom Quarendon commented on KARAF-5330:
--------------------------------------
Sorry. I meant "sshRole", rather than sshRealm. Apologies.
As I understand it before the role based access control was added for commands,
"sshRole" was exactly the control you DID have. Hence my use of the word
"revert".
Or at least, the documentation talks about sshRole, and that being what it's
for. This is what I wanted originally. But on trying to understand why it
didn't appear to work I discovered that it had apparently been removed when the
RBAC was added for commands. Which lead me down this path.
So finding the commit that removed sshRole and reverting the relevant part of
it would, I think, be a sensible move.
> Default access control list for console allows any user to cat files, and
> write to files.
> -----------------------------------------------------------------------------------------
>
> Key: KARAF-5330
> URL: https://issues.apache.org/jira/browse/KARAF-5330
> Project: Karaf
> Issue Type: Bug
> Components: karaf-security, karaf-shell
> Reporter: Tom Quarendon
> Assignee: Jean-Baptiste Onofré
> Fix For: 4.2.0, 4.0.10, 4.1.3
>
>
> The shell:cat command has no access control list associated with it in the
> default configuration.
> The same is true of the "shell:ls" command. There may be other shell:
> commands too that can provide filesystem access. I don't know whether cd, pwd
> for example should be secured. "tac" most certainly should.
> This means that any user that can access the ssh console can navigate the
> filesystem, reading and writing files as they like.
> For example, given the default configuration, if I have a "normal" user and
> can therefore access the console, I can use shell commands to find our or
> guess the location of the karaf install (shell:pwd will do that), then cat
> the contents of the etc/users.properties file and find out all users
> passwords (in the default configuration the passwords are in plain text). I
> can also cat the etc/host.key file which would seem undesirable.
> tac clearly would be a very dangerous command to have access to. It seems
> likely that I could subvert many things by just writing directly to
> configuration files using tac. I could, for example, change, or at least
> invalidate the admin password by rewriting the users.properties file.
> All in all this feels like a major issue.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
