You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cloudstack.apache.org by "Alena Prokharchyk (JIRA)" <ji...@apache.org> on 2012/10/08 20:04:03 UTC

[jira] [Resolved] (CLOUDSTACK-287) Security bug: System user doesn't have any password

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-287?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Alena Prokharchyk resolved CLOUDSTACK-287.
------------------------------------------

    Resolution: Fixed

Fixed with cfd2091337534f0ff7edcacd404c776fa202c5c7 and 29e6dae86de9482d6f2e85fe47fceeab45ecba9c. 

Cases to test (for QA):

1) Deploy cloudStack anew. Make sure that system user came with not null
random password
2) Update from the previous cloudStack version. Verify that the system
user has random password after the upgrade.
3) Check that the system user can't login with this password. Test with
the UI as well as with API login command
4) Check that no API commands are allowed to execute against system user.
registerUserKeys/enableUser/disableUser should fail for the system user.
5) Don't allow operations against system account (enable/disable/delete
system account + don't allow to add new user to the system account).
                
> Security bug: System user doesn't have any password
> ---------------------------------------------------
>
>                 Key: CLOUDSTACK-287
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-287
>             Project: CloudStack
>          Issue Type: Bug
>    Affects Versions: 4.0.0
>            Reporter: Alena Prokharchyk
>            Assignee: Alena Prokharchyk
>            Priority: Critical
>             Fix For: 4.0.0
>
>
> During the cloudStack installation and db setup, the System account/user are inserted to the DB. These account/user are dedicated for system actions(background clenaup threads as example), events, objects (SSVM and CPVM belong to system account). Plus when API request comes from 8096 port, we don't do any sort of authentication, and assume that the caller is the System user. This all is expected behavior. 
> The bug is: 
> * System user doesn't have any password.
> * It's possible to login as a System user with no password, and do any API calls after that
> * You can register api/secret keys for the System user, and do any API request as this user using api/secret key authentication

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira