[jira] [Updated] (ZOOKEEPER-4727) zNode deleted despite not having access rights (zNode with ACL)

Igor Delac (Jira) Thu, 27 Jul 2023 00:46:04 -0700


     [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-4727?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Igor Delac updated ZOOKEEPER-4727:
----------------------------------
    Description: 
Hello,
 
I've found a problem with Zookeeper, allowing any client to delete a zNode 
regardless of the ACL set for the zNode.

I'm not sure if this issue is for the ordinary JIRA ticket, or the issue is a 
vulnerability problem.
 
Here are steps I used, to reproduce the problem:
 
1) Create zNode /users.
2) Create zNode /users/john.


{{[zk: localhost:2181(CONNECTED) 1] create /users}}
{{Created /users}}
{{[zk: localhost:2181(CONNECTED) 2] create /users/john}}

 
3) Set auth.scheme digest, with password 'john123' on the zNode /users/john.
 
3.1) Generate digest for the user john and password john123.


{{root@dev-id-client:/opt/zookeeper-3.8.2# java -classpath 'lib/*' 
org.apache.zookeeper.server.auth.DigestAuthenticationProvider john:john123}}
{{16:02:56.377 [main] INFO 
org.apache.zookeeper.server.auth.DigestAuthenticationProvider - ACL digest 
algorithm is: SHA1}}
{{john:john123->john:SNEZzLxGQHaYcjRvU8KnG1WX9rU=}}
{{root@dev-id-client:/opt/zookeeper-3.8.2#}}

 
3.2) Assign ACL for the zNode /users/john.


{{[zk: localhost:2181(CONNECTED) 6] setAcl /users/john 
digest:john:SNEZzLxGQHaYcjRvU8KnG1WX9rU=:cdrwa}}

{{[zk: localhost:2181(CONNECTED) 7]}}

 

 
4) Test the access to the zNode /users/john. Try to read the ACL.


{{[zk: localhost:2181(CONNECTED) 7] getAcl /users/john}}
{{Insufficient permission : /users/john}}
{{[zk: localhost:2181(CONNECTED) 8]}}

 


Here the response makes sense. Because of the zNode ACL set, access is denied.
 
5) Try to delete the zNode /users/john.


{{[zk: localhost:2181(CONNECTED) 8] delete /users/john}}
{{[zk: localhost:2181(CONNECTED) 9]}}

 


I'd expect here to see *Insufficient permission* message.
 
6) Verify that zNode was successfully deleted.


{{[zk: localhost:2181(CONNECTED) 9] stat /users/john}}
{{Node does not exist: /users/john}}
{{[zk: localhost:2181(CONNECTED) 10]}}

 

 
7) whoami command shows the following.
 


{{[zk: localhost:2181(CONNECTED) 10] whoami}}
{{Auth scheme: User}}
{{ip: 127.0.0.1}}
{{[zk: localhost:2181(CONNECTED) 11]}}
{{ }}


 
In my opinion, delete operation should not be possible if the zNode access was 
rejected, eg. *getAcl* fails with {*}Insufficient permission : /users/john{*}.
 

  was:
Hello,
 
I've found a problem with Zookeeper, allowing any client to delete a zNode 
regardless of the ACL set for the zNode.

I'm not sure if this issue is for the ordinary JIRA ticket, or the issue is a 
vulnerability problem.
 
Here are steps I used, to reproduce the problem:
 
1) Create zNode /users.
2) Create zNode /users/john.
 
[zk: localhost:2181(CONNECTED) 1] create /users
Created /users
[zk: localhost:2181(CONNECTED) 2] create /users/john

 
3) Set auth.scheme digest, with password 'john123' on the zNode /users/john.
 
3.1) Generate digest for the user john and password john123.
 
root@dev-id-client:/opt/zookeeper-3.8.2# java -classpath 'lib/*' 
org.apache.zookeeper.server.auth.DigestAuthenticationProvider john:john123
16:02:56.377 [main] INFO 
org.apache.zookeeper.server.auth.DigestAuthenticationProvider - ACL digest 
algorithm is: SHA1
john:john123->john:SNEZzLxGQHaYcjRvU8KnG1WX9rU=
root@dev-id-client:/opt/zookeeper-3.8.2#
 
3.2) Assign ACL for the zNode /users/john.
 
[zk: localhost:2181(CONNECTED) 6] setAcl /users/john 
digest:john:SNEZzLxGQHaYcjRvU8KnG1WX9rU=:cdrwa

[zk: localhost:2181(CONNECTED) 7]


 
4) Test the access to the zNode /users/john. Try to read the ACL.
 
[zk: localhost:2181(CONNECTED) 7] getAcl /users/john
Insufficient permission : /users/john
[zk: localhost:2181(CONNECTED) 8]

 
Here the response makes sense. Because of the zNode ACL set, access is denied.
 
5) Try to delete the zNode /users/john.
 
[zk: localhost:2181(CONNECTED) 8] delete /users/john
[zk: localhost:2181(CONNECTED) 9]

 
I'd expect here to see *Insufficient permission* message.
 
6) Verify that zNode was successfully deleted.
 
[zk: localhost:2181(CONNECTED) 9] stat /users/john
Node does not exist: /users/john
[zk: localhost:2181(CONNECTED) 10]

 
7) whoami command shows the following.
 
[zk: localhost:2181(CONNECTED) 10] whoami
Auth scheme: User
ip: 127.0.0.1
[zk: localhost:2181(CONNECTED) 11]
 
 
In my opinion, delete operation should not be possible if the zNode access was 
rejected, eg. *getAcl* fails with {*}Insufficient permission : /users/john{*}.
 


> zNode deleted despite not having access rights (zNode with ACL)
> ---------------------------------------------------------------
>
>                 Key: ZOOKEEPER-4727
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4727
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: java client, server
>    Affects Versions: 3.8.1
>            Reporter: Igor Delac
>            Priority: Minor
>
> Hello,
>  
> I've found a problem with Zookeeper, allowing any client to delete a zNode 
> regardless of the ACL set for the zNode.
> I'm not sure if this issue is for the ordinary JIRA ticket, or the issue is a 
> vulnerability problem.
>  
> Here are steps I used, to reproduce the problem:
>  
> 1) Create zNode /users.
> 2) Create zNode /users/john.
> {{[zk: localhost:2181(CONNECTED) 1] create /users}}
> {{Created /users}}
> {{[zk: localhost:2181(CONNECTED) 2] create /users/john}}
>  
> 3) Set auth.scheme digest, with password 'john123' on the zNode /users/john.
>  
> 3.1) Generate digest for the user john and password john123.
> {{root@dev-id-client:/opt/zookeeper-3.8.2# java -classpath 'lib/*' 
> org.apache.zookeeper.server.auth.DigestAuthenticationProvider john:john123}}
> {{16:02:56.377 [main] INFO 
> org.apache.zookeeper.server.auth.DigestAuthenticationProvider - ACL digest 
> algorithm is: SHA1}}
> {{john:john123->john:SNEZzLxGQHaYcjRvU8KnG1WX9rU=}}
> {{root@dev-id-client:/opt/zookeeper-3.8.2#}}
>  
> 3.2) Assign ACL for the zNode /users/john.
> {{[zk: localhost:2181(CONNECTED) 6] setAcl /users/john 
> digest:john:SNEZzLxGQHaYcjRvU8KnG1WX9rU=:cdrwa}}
> {{[zk: localhost:2181(CONNECTED) 7]}}
>  
>  
> 4) Test the access to the zNode /users/john. Try to read the ACL.
> {{[zk: localhost:2181(CONNECTED) 7] getAcl /users/john}}
> {{Insufficient permission : /users/john}}
> {{[zk: localhost:2181(CONNECTED) 8]}}
>  
> Here the response makes sense. Because of the zNode ACL set, access is denied.
>  
> 5) Try to delete the zNode /users/john.
> {{[zk: localhost:2181(CONNECTED) 8] delete /users/john}}
> {{[zk: localhost:2181(CONNECTED) 9]}}
>  
> I'd expect here to see *Insufficient permission* message.
>  
> 6) Verify that zNode was successfully deleted.
> {{[zk: localhost:2181(CONNECTED) 9] stat /users/john}}
> {{Node does not exist: /users/john}}
> {{[zk: localhost:2181(CONNECTED) 10]}}
>  
>  
> 7) whoami command shows the following.
>  
> {{[zk: localhost:2181(CONNECTED) 10] whoami}}
> {{Auth scheme: User}}
> {{ip: 127.0.0.1}}
> {{[zk: localhost:2181(CONNECTED) 11]}}
> {{ }}
>  
> In my opinion, delete operation should not be possible if the zNode access 
> was rejected, eg. *getAcl* fails with {*}Insufficient permission : 
> /users/john{*}.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (ZOOKEEPER-4727) zNode deleted despite not having access rights (zNode with ACL)

Reply via email to