[cobbler-devel] authz_ownership not checking permissions correctly on system creation
I've been experimenting with the ownership features in Cobbler, using the authz_ownership module. My users.conf looks like this: [admins] admin = "" cobbler = "" [mygroup] myuser = "" I'm seeing a problem where "myuser" can edit systems in the WebUI, owned by "mygroup" that already exist, but "myuser" can't create new systems. I get an authorization error, that seems to be tied back to item_system.py, which loads the obj.owners as the string "<>" for a new system object (even if I try to create the object with group "mygroup"). The function __is_user_allowed() seems to expect a list here, and ends up iterating over this string, and incorrectly checks for user/group matches against each character in the string - ie: "<". Not sure if this is a known issue? I'm running 2.6.9 on my server (latest from the EPEL repos), but it looks like it's unchanged in the latest version up on github as well. Is this a bug? The code snippet is here. When creating a system, obj.owners is a string containing "<>": def __is_user_allowed(obj, groups, user, resource, arg1, arg2): if user == "": # system user, logged in via web.ss return True for group in groups: if group in [ "admins", "admin" ]: return True if obj.owners == []: return True for allowed in obj.owners: if user == allowed: # user match return True # else look for a group match for group in groups: if group == allowed: return True return 0 Thanks, Kyle ___ cobbler-devel mailing list cobbler-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/cobbler-devel
Re: [cobbler-devel] authz_ownership not checking permissions correctly on system creation
On 12.08.2015 [16:55:31 +], Kyle Flavin wrote: > I've been experimenting with the ownership features in Cobbler, using the > authz_ownership module. > My users.conf looks like this: > [admins] > admin = "" > cobbler = "" > > [mygroup] > myuser = "" > I'm seeing a problem where "myuser" can edit systems in the WebUI, > owned by "mygroup" that already exist, but "myuser" can't create new > systems. I get an authorization error, that seems to be tied back to > item_system.py, which loads the obj.owners as the string "<>" > for a new system object (even if I try to create the object with group > "mygroup"). The function __is_user_allowed() seems to expect a list > here, and ends up iterating over this string, and incorrectly checks > for user/group matches against each character in the string - ie: "<". > Not sure if this is a known issue? I'm running 2.6.9 on my server > (latest from the EPEL repos), but it looks like it's unchanged in the > latest version up on github as well. Is this a bug? I think so. I've noticed that several times in the code, "<>" needs to be special-cased or violates assumptions (like obj.owners is a list not a string). The change below might fix it. Care to open an issue on github? And I can send a fix via github (nacc is my user on there, if you can subscribe when you file it). > The code snippet is here. When creating a system, obj.owners is a > string containing "<>": > def __is_user_allowed(obj, groups, user, resource, arg1, arg2): > if user == "": > # system user, logged in via web.ss > return True > for group in groups: > if group in [ "admins", "admin" ]: > return True > if obj.owners == []: > return True if obj.owners == "<>": return __is_user_allowed(obj.get_conceptual_parent(), groups, user, resource, arg1, arg2) > for allowed in obj.owners: > if user == allowed: ># user match >return True > # else look for a group match > for group in groups: > if group == allowed: > return True > return 0 Should this ^^ be False? > Thanks, > Kyle > > > ___ > cobbler-devel mailing list > cobbler-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/cobbler-devel ___ cobbler-devel mailing list cobbler-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/cobbler-devel
Re: [cobbler-devel] authz_ownership not checking permissions correctly on system creation
Thanks Nish. I'll open an issue on github this afternoon. On a somewhat related note - I was going to poke around with my LDAP issue from the other day, and I'm trying to figure out how to get the dev environment setup for cobbler_web. I cloned down the cobbler repository from github, and did a "make webtest". Cobbler and Apache start up fine, and I can run cobbler commands from the CLI, but I get a 500 error when I hit http://127.0.0.1/cobbler_web, and it looks like I'm missing some files under /usr/share/cobbler/web. My directory looks like this: > ls /usr/share/cobbler/web > cobbler.wsgi templates I'm missing all the Django-related files (views.py, urls.py, settings.py, etc). Am I doing something wrong here? Do I need to do something in addition to "make webtest" to get cobbler_web running? In looking at the repository, it looks like the files I need are split across different directories. -Original Message- From: Nishanth Aravamudan [mailto:n...@linux.vnet.ibm.com] Sent: Thursday, August 13, 2015 8:28 AM To: Kyle Flavin Cc: cobbler-devel@lists.fedorahosted.org Subject: Re: [cobbler-devel] authz_ownership not checking permissions correctly on system creation On 12.08.2015 [16:55:31 +], Kyle Flavin wrote: > I've been experimenting with the ownership features in Cobbler, using the > authz_ownership module. > My users.conf looks like this: > [admins] > admin = "" > cobbler = "" > > [mygroup] > myuser = "" > I'm seeing a problem where "myuser" can edit systems in the WebUI, > owned by "mygroup" that already exist, but "myuser" can't create new > systems. I get an authorization error, that seems to be tied back to > item_system.py, which loads the obj.owners as the string "<>" > for a new system object (even if I try to create the object with group > "mygroup"). The function __is_user_allowed() seems to expect a list > here, and ends up iterating over this string, and incorrectly checks > for user/group matches against each character in the string - ie: "<". > Not sure if this is a known issue? I'm running 2.6.9 on my server > (latest from the EPEL repos), but it looks like it's unchanged in the > latest version up on github as well. Is this a bug? I think so. I've noticed that several times in the code, "<>" needs to be special-cased or violates assumptions (like obj.owners is a list not a string). The change below might fix it. Care to open an issue on github? And I can send a fix via github (nacc is my user on there, if you can subscribe when you file it). > The code snippet is here. When creating a system, obj.owners is a > string containing "<>": > def __is_user_allowed(obj, groups, user, resource, arg1, arg2): > if user == "": > # system user, logged in via web.ss > return True > for group in groups: > if group in [ "admins", "admin" ]: > return True > if obj.owners == []: > return True if obj.owners == "<>": return __is_user_allowed(obj.get_conceptual_parent(), groups, user, resource, arg1, arg2) > for allowed in obj.owners: > if user == allowed: ># user match >return True > # else look for a group match > for group in groups: > if group == allowed: > return True > return 0 Should this ^^ be False? > Thanks, > Kyle > > > ___ > cobbler-devel mailing list > cobbler-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/cobbler-devel ___ cobbler-devel mailing list cobbler-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/cobbler-devel
Re: [cobbler-devel] authz_ownership not checking permissions correctly on system creation
On 14.08.2015 [22:28:09 +], Kyle Flavin wrote: > Thanks Nish. I'll open an issue on github this afternoon. > > On a somewhat related note - I was going to poke around with my LDAP > issue from the other day, and I'm trying to figure out how to get the > dev environment setup for cobbler_web. I cloned down the cobbler > repository from github, and did a "make webtest". Cobbler and Apache > start up fine, and I can run cobbler commands from the CLI, but I get > a 500 error when I hit http://127.0.0.1/cobbler_web, and it looks like > I'm missing some files under /usr/share/cobbler/web. My directory > looks like this: > > > ls /usr/share/cobbler/web > > cobbler.wsgi templates > > I'm missing all the Django-related files (views.py, urls.py, > settings.py, etc). Am I doing something wrong here? Do I need to do > something in addition to "make webtest" to get cobbler_web running? > In looking at the repository, it looks like the files I need are split > across different directories. Have you ever done an install of cobbler on that server before? If not, you'll need to do a `make install` first, iirc. `make webtest` is meant to only overwrite the python code and such, but leave all the configuration alone, which might include the Django bits specific to Cobbler. -Nish ___ cobbler-devel mailing list cobbler-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/cobbler-devel
Re: [cobbler-devel] authz_ownership not checking permissions correctly on system creation
Yes, I did a make and then a make install. I ran 'make webtest' after doing those two. -Original Message- From: Nishanth Aravamudan [mailto:n...@linux.vnet.ibm.com] Sent: Friday, August 14, 2015 6:04 PM To: Kyle Flavin Cc: cobbler-devel@lists.fedorahosted.org Subject: Re: [cobbler-devel] authz_ownership not checking permissions correctly on system creation On 14.08.2015 [22:28:09 +], Kyle Flavin wrote: > Thanks Nish. I'll open an issue on github this afternoon. > > On a somewhat related note - I was going to poke around with my LDAP > issue from the other day, and I'm trying to figure out how to get the > dev environment setup for cobbler_web. I cloned down the cobbler > repository from github, and did a "make webtest". Cobbler and Apache > start up fine, and I can run cobbler commands from the CLI, but I get > a 500 error when I hit http://127.0.0.1/cobbler_web, and it looks like > I'm missing some files under /usr/share/cobbler/web. My directory > looks like this: > > > ls /usr/share/cobbler/web > > cobbler.wsgi templates > > I'm missing all the Django-related files (views.py, urls.py, > settings.py, etc). Am I doing something wrong here? Do I need to do > something in addition to "make webtest" to get cobbler_web running? > In looking at the repository, it looks like the files I need are split > across different directories. Have you ever done an install of cobbler on that server before? If not, you'll need to do a `make install` first, iirc. `make webtest` is meant to only overwrite the python code and such, but leave all the configuration alone, which might include the Django bits specific to Cobbler. -Nish ___ cobbler-devel mailing list cobbler-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/cobbler-devel
