qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (QPID-4631) C++ Broker interbroker links should be protected by ACL
Date Wed, 05 Mar 2014 02:35:43 GMT

    [ https://issues.apache.org/jira/browse/QPID-4631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13920409#comment-13920409
] 

ASF subversion and git services commented on QPID-4631:
-------------------------------------------------------

Commit 1574291 from chug@apache.org in branch 'qpid/trunk'
[ https://svn.apache.org/r1574291 ]

QPID-5599: C++ Broker silently ignores --max-connections option when no ACL file is loaded

Simply installing a null and permissive rule file trips up the 'create link'
security check. The security check from 
https://issues.apache.org/jira/browse/QPID-4631 reasons that if authentication
is enabled and no ACL rule file is specified then interbroker links are 
denied. The check for 'ACL rule file is loaded' is simply the existence of
the ACL object. That check is voided by always having an ACL object regardless
of whether the ACL rule file was specified or not.

One fix considered was adding an ACL rule "acl deny-log all create link" to
the formerly null rule set when no ACL file is specified. This solution has
too much complexity in several places and is too hard.

The fix implemented here is a boolean flag indicating if the ACL rule set 
in force is specified by the user or not. Then the security check tests
that the acl exists (always true) and that the rule set is specified by the
user.

> C++ Broker interbroker links should be protected by ACL
> -------------------------------------------------------
>
>                 Key: QPID-4631
>                 URL: https://issues.apache.org/jira/browse/QPID-4631
>             Project: Qpid
>          Issue Type: Bug
>          Components: C++ Broker
>    Affects Versions: 0.20
>            Reporter: Chuck Rolke
>            Assignee: Chuck Rolke
>             Fix For: 0.23
>
>
> This issue addresses CVE-2012-4446
> Federated interbroker links may be opened by client programs and not just by brokers.
By default the creation of these links is not protected any formal authorization.
> Users concerned about this issue may immediately lock their systems down by creating
ACL rules that allow links to be created only by authorized users. For instance the following
ACL rules on each broker would provide the lockdown necessary:
>   group proxies <id1> <id2> ...
>   acl allow    proxies create link
>   acl deny-log all     create link
> A better solution is for the ACL module to deny the creation of links unless ACL rules
are specified to specifically allow them.
> In pseudo code the solution is in two parts. Part one observes CREATE LINK rules in the
acl file. Part two authorizes link creation only if ACL is loaded, CREATE LINK ACL rules are
specified, and the specific user is authorized to create the link in question:
> function readAclFile()
>   ...
>   if (CREATE LINK rules are specified)
>     set acl->createLinkFlag
>   endif
>   ...
> end function
> function brokerCreateLink()
>   if (aclLoaded)
>     if (acl->createLinkFlag)
>       if (acl->authorise(user, create, link, properties))
>         <create link allowed>
>       else
>         <create link denied - not authorized>
>       endif
>     else
>       <create link denied - acl did not specify a create link rule>
>     endif
>   else
>     <create link denied - acl module not loaded>
>   endif
> end function
> This Jira will track the implementation of this restriction.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message