You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Pavel Moravec (Created) (JIRA)" <ji...@apache.org> on 2011/10/06 14:22:29 UTC
[jira] [Created] (QPID-3528) qpid --help has wrong description of
sasl-config parameter
qpid --help has wrong description of sasl-config parameter
----------------------------------------------------------
Key: QPID-3528
URL: https://issues.apache.org/jira/browse/QPID-3528
Project: Qpid
Issue Type: Bug
Components: C++ Broker
Affects Versions: 0.10
Reporter: Pavel Moravec
Priority: Trivial
Attachments: saslconfig-help.patch
Description of problem:
qpidd --help shows sasl-config option to specify filename of SASL config file.
That is wrong as it specifies _directory_ (like /etc/sasl2) where qpidd.conf
for SASL lies.
man pages of qpid are correct:
--sasl-config DIR
gets sasl config info from nonstandard location
Just qpidd --help is wrong.
Version-Release number of selected component (if applicable):
any (MRG 2.0 checked)
How reproducible:
100%
Steps to Reproduce:
1. qpidd --help | grep -A1 sasl
Actual results:
# qpidd --help | grep -A1 sasl
--sasl-config FILE gets sasl config from
nonstandard location
#
Expected results:
# qpidd --help | grep -A1 sasl
--sasl-config DIR (/etc/sasl2) gets sasl config from
nonstandard directory
#
Additional info:
Patch attached.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] [Resolved] (QPID-3528) qpid --help has wrong description of
sasl-config parameter
Posted by "michael j. goulish (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
michael j. goulish resolved QPID-3528.
--------------------------------------
Resolution: Fixed
Fix Version/s: Future
"Fixed" -- sort of -- in r1183121 .
Well -- actually, the most offensive word in the help message -- "FILE" that should have been "DIR" -- was fixed earlier.
But this JIRA made me realize that there was what I consider to be a serious security flaw here, which I fixed. ( I probably should have made a new JIRA... )
The SASL library call sasl_set_path(), which is a recent addition to the library, does not check the validity of the path when it is called. If you give it a bad path, or one for which you have insufficient permissions, then the library will discover this later, and will then use the default location.
That's a gross security hole. That library should not default to anything. It should either use your intended SASL db, or fail noisily. We should never have a situation where a production user of our system starts up with a set of SASL usernames and passwords that is not what he expects.
The code that I put in before the sasl_set_path() call has that effect. It checks for existence and accessibility of the given directory -- and if it fails it will prevent broker start-up.
> qpid --help has wrong description of sasl-config parameter
> ----------------------------------------------------------
>
> Key: QPID-3528
> URL: https://issues.apache.org/jira/browse/QPID-3528
> Project: Qpid
> Issue Type: Bug
> Components: C++ Broker
> Affects Versions: 0.10
> Reporter: Pavel Moravec
> Assignee: michael j. goulish
> Priority: Trivial
> Labels: patch
> Fix For: Future
>
> Attachments: saslconfig-help.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> Description of problem:
> qpidd --help shows sasl-config option to specify filename of SASL config file.
> That is wrong as it specifies _directory_ (like /etc/sasl2) where qpidd.conf
> for SASL lies.
> man pages of qpid are correct:
> --sasl-config DIR
> gets sasl config info from nonstandard location
> Just qpidd --help is wrong.
> Version-Release number of selected component (if applicable):
> any (MRG 2.0 checked)
> How reproducible:
> 100%
> Steps to Reproduce:
> 1. qpidd --help | grep -A1 sasl
> Actual results:
> # qpidd --help | grep -A1 sasl
> --sasl-config FILE gets sasl config from
> nonstandard location
> #
> Expected results:
> # qpidd --help | grep -A1 sasl
> --sasl-config DIR (/etc/sasl2) gets sasl config from
> nonstandard directory
> #
> Additional info:
> Patch attached.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] [Updated] (QPID-3528) qpid --help has wrong description of
sasl-config parameter
Posted by "Pavel Moravec (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pavel Moravec updated QPID-3528:
--------------------------------
Attachment: saslconfig-help.patch
Patch proposal. It fixes the help string and also tells what the default
directory is (/etc/sasl2).
> qpid --help has wrong description of sasl-config parameter
> ----------------------------------------------------------
>
> Key: QPID-3528
> URL: https://issues.apache.org/jira/browse/QPID-3528
> Project: Qpid
> Issue Type: Bug
> Components: C++ Broker
> Affects Versions: 0.10
> Reporter: Pavel Moravec
> Priority: Trivial
> Labels: patch
> Attachments: saslconfig-help.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> Description of problem:
> qpidd --help shows sasl-config option to specify filename of SASL config file.
> That is wrong as it specifies _directory_ (like /etc/sasl2) where qpidd.conf
> for SASL lies.
> man pages of qpid are correct:
> --sasl-config DIR
> gets sasl config info from nonstandard location
> Just qpidd --help is wrong.
> Version-Release number of selected component (if applicable):
> any (MRG 2.0 checked)
> How reproducible:
> 100%
> Steps to Reproduce:
> 1. qpidd --help | grep -A1 sasl
> Actual results:
> # qpidd --help | grep -A1 sasl
> --sasl-config FILE gets sasl config from
> nonstandard location
> #
> Expected results:
> # qpidd --help | grep -A1 sasl
> --sasl-config DIR (/etc/sasl2) gets sasl config from
> nonstandard directory
> #
> Additional info:
> Patch attached.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] [Commented] (QPID-3528) qpid --help has wrong description of
sasl-config parameter
Posted by "Gordon Sim (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13122662#comment-13122662 ]
Gordon Sim commented on QPID-3528:
----------------------------------
Fraser Adams also suggested on the user list that more helpful logging would be useful here. I don't know what we can do in terms of logging what cyrus-sasl actually does. The log statement at present says 'SASL: config path set to xyz' regardless of whether the path is valid or not. At the very least changing that to say e.g 'Added xyz to SASL path' might make what is actually happening a little clearer.
> qpid --help has wrong description of sasl-config parameter
> ----------------------------------------------------------
>
> Key: QPID-3528
> URL: https://issues.apache.org/jira/browse/QPID-3528
> Project: Qpid
> Issue Type: Bug
> Components: C++ Broker
> Affects Versions: 0.10
> Reporter: Pavel Moravec
> Assignee: michael j. goulish
> Priority: Trivial
> Labels: patch
> Attachments: saslconfig-help.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> Description of problem:
> qpidd --help shows sasl-config option to specify filename of SASL config file.
> That is wrong as it specifies _directory_ (like /etc/sasl2) where qpidd.conf
> for SASL lies.
> man pages of qpid are correct:
> --sasl-config DIR
> gets sasl config info from nonstandard location
> Just qpidd --help is wrong.
> Version-Release number of selected component (if applicable):
> any (MRG 2.0 checked)
> How reproducible:
> 100%
> Steps to Reproduce:
> 1. qpidd --help | grep -A1 sasl
> Actual results:
> # qpidd --help | grep -A1 sasl
> --sasl-config FILE gets sasl config from
> nonstandard location
> #
> Expected results:
> # qpidd --help | grep -A1 sasl
> --sasl-config DIR (/etc/sasl2) gets sasl config from
> nonstandard directory
> #
> Additional info:
> Patch attached.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] [Commented] (QPID-3528) qpid --help has wrong description of
sasl-config parameter
Posted by "Gordon Sim (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13122656#comment-13122656 ]
Gordon Sim commented on QPID-3528:
----------------------------------
This was already raised and fixed as QPID-3117, however the patch attached here is I think a little more complete and the extra changes would be good to pick up.
> qpid --help has wrong description of sasl-config parameter
> ----------------------------------------------------------
>
> Key: QPID-3528
> URL: https://issues.apache.org/jira/browse/QPID-3528
> Project: Qpid
> Issue Type: Bug
> Components: C++ Broker
> Affects Versions: 0.10
> Reporter: Pavel Moravec
> Priority: Trivial
> Labels: patch
> Attachments: saslconfig-help.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> Description of problem:
> qpidd --help shows sasl-config option to specify filename of SASL config file.
> That is wrong as it specifies _directory_ (like /etc/sasl2) where qpidd.conf
> for SASL lies.
> man pages of qpid are correct:
> --sasl-config DIR
> gets sasl config info from nonstandard location
> Just qpidd --help is wrong.
> Version-Release number of selected component (if applicable):
> any (MRG 2.0 checked)
> How reproducible:
> 100%
> Steps to Reproduce:
> 1. qpidd --help | grep -A1 sasl
> Actual results:
> # qpidd --help | grep -A1 sasl
> --sasl-config FILE gets sasl config from
> nonstandard location
> #
> Expected results:
> # qpidd --help | grep -A1 sasl
> --sasl-config DIR (/etc/sasl2) gets sasl config from
> nonstandard directory
> #
> Additional info:
> Patch attached.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] [Assigned] (QPID-3528) qpid --help has wrong description of
sasl-config parameter
Posted by "Gordon Sim (Assigned) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gordon Sim reassigned QPID-3528:
--------------------------------
Assignee: michael j. goulish
> qpid --help has wrong description of sasl-config parameter
> ----------------------------------------------------------
>
> Key: QPID-3528
> URL: https://issues.apache.org/jira/browse/QPID-3528
> Project: Qpid
> Issue Type: Bug
> Components: C++ Broker
> Affects Versions: 0.10
> Reporter: Pavel Moravec
> Assignee: michael j. goulish
> Priority: Trivial
> Labels: patch
> Attachments: saslconfig-help.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> Description of problem:
> qpidd --help shows sasl-config option to specify filename of SASL config file.
> That is wrong as it specifies _directory_ (like /etc/sasl2) where qpidd.conf
> for SASL lies.
> man pages of qpid are correct:
> --sasl-config DIR
> gets sasl config info from nonstandard location
> Just qpidd --help is wrong.
> Version-Release number of selected component (if applicable):
> any (MRG 2.0 checked)
> How reproducible:
> 100%
> Steps to Reproduce:
> 1. qpidd --help | grep -A1 sasl
> Actual results:
> # qpidd --help | grep -A1 sasl
> --sasl-config FILE gets sasl config from
> nonstandard location
> #
> Expected results:
> # qpidd --help | grep -A1 sasl
> --sasl-config DIR (/etc/sasl2) gets sasl config from
> nonstandard directory
> #
> Additional info:
> Patch attached.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] [Updated] (QPID-3528) qpid --help has wrong description of
sasl-config parameter
Posted by "Ted Ross (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ted Ross updated QPID-3528:
---------------------------
Fix Version/s: (was: Future)
0.13
> qpid --help has wrong description of sasl-config parameter
> ----------------------------------------------------------
>
> Key: QPID-3528
> URL: https://issues.apache.org/jira/browse/QPID-3528
> Project: Qpid
> Issue Type: Bug
> Components: C++ Broker
> Affects Versions: 0.10
> Reporter: Pavel Moravec
> Assignee: michael j. goulish
> Priority: Trivial
> Labels: patch
> Fix For: 0.13
>
> Attachments: saslconfig-help.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> Description of problem:
> qpidd --help shows sasl-config option to specify filename of SASL config file.
> That is wrong as it specifies _directory_ (like /etc/sasl2) where qpidd.conf
> for SASL lies.
> man pages of qpid are correct:
> --sasl-config DIR
> gets sasl config info from nonstandard location
> Just qpidd --help is wrong.
> Version-Release number of selected component (if applicable):
> any (MRG 2.0 checked)
> How reproducible:
> 100%
> Steps to Reproduce:
> 1. qpidd --help | grep -A1 sasl
> Actual results:
> # qpidd --help | grep -A1 sasl
> --sasl-config FILE gets sasl config from
> nonstandard location
> #
> Expected results:
> # qpidd --help | grep -A1 sasl
> --sasl-config DIR (/etc/sasl2) gets sasl config from
> nonstandard directory
> #
> Additional info:
> Patch attached.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org