qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chuck Rolke (JIRA)" <j...@apache.org>
Subject [jira] [Created] (QPID-4631) C++ Broker interbroker links should be protected by ACL
Date Wed, 06 Mar 2013 21:30:13 GMT
Chuck Rolke created QPID-4631:

             Summary: C++ Broker interbroker links should be protected by ACL
                 Key: QPID-4631
                 URL: https://issues.apache.org/jira/browse/QPID-4631
             Project: Qpid
          Issue Type: Bug
          Components: C++ Broker
    Affects Versions: 0.20
            Reporter: Chuck Rolke
            Assignee: Chuck Rolke

This issue addresses CVE-2012-4446

Federated interbroker links may be opened by client programs and not just by brokers. By default
the creation of these links is not protected any formal authorization.

Users concerned about this issue may immediately lock their systems down by creating ACL rules
that allow links to be created only by authorized users. For instance the following ACL rules
on each broker would provide the lockdown necessary:

  group proxies <id1> <id2> ...
  acl allow    proxies create link
  acl deny-log all     create link

A better solution is for the ACL module to deny the creation of links unless ACL rules are
specified to specifically allow them.
In pseudo code the solution is in two parts. Part one observes CREATE LINK rules in the acl
file. Part two authorizes link creation only if ACL is loaded, CREATE LINK ACL rules are specified,
and the specific user is authorized to create the link in question:

function readAclFile()
  if (CREATE LINK rules are specified)
    set acl->createLinkFlag
end function

function brokerCreateLink()
  if (aclLoaded)
    if (acl->createLinkFlag)
      if (acl->authorise(user, create, link, properties))
        <create link allowed>
        <create link denied - not authorized>
      <create link denied - acl did not specify a create link rule>
    <create link denied - acl module not loaded>
end function

This Jira will track the implementation of this restriction.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org

View raw message