You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2014/03/05 03:35:43 UTC
[jira] [Commented] (QPID-4631) C++ Broker interbroker links should
be protected by ACL
[ https://issues.apache.org/jira/browse/QPID-4631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13920409#comment-13920409 ]
ASF subversion and git services commented on QPID-4631:
-------------------------------------------------------
Commit 1574291 from chug@apache.org in branch 'qpid/trunk'
[ https://svn.apache.org/r1574291 ]
QPID-5599: C++ Broker silently ignores --max-connections option when no ACL file is loaded
Simply installing a null and permissive rule file trips up the 'create link'
security check. The security check from
https://issues.apache.org/jira/browse/QPID-4631 reasons that if authentication
is enabled and no ACL rule file is specified then interbroker links are
denied. The check for 'ACL rule file is loaded' is simply the existence of
the ACL object. That check is voided by always having an ACL object regardless
of whether the ACL rule file was specified or not.
One fix considered was adding an ACL rule "acl deny-log all create link" to
the formerly null rule set when no ACL file is specified. This solution has
too much complexity in several places and is too hard.
The fix implemented here is a boolean flag indicating if the ACL rule set
in force is specified by the user or not. Then the security check tests
that the acl exists (always true) and that the rule set is specified by the
user.
> C++ Broker interbroker links should be protected by ACL
> -------------------------------------------------------
>
> Key: QPID-4631
> URL: https://issues.apache.org/jira/browse/QPID-4631
> Project: Qpid
> Issue Type: Bug
> Components: C++ Broker
> Affects Versions: 0.20
> Reporter: Chuck Rolke
> Assignee: Chuck Rolke
> Fix For: 0.23
>
>
> This issue addresses CVE-2012-4446
> Federated interbroker links may be opened by client programs and not just by brokers. By default the creation of these links is not protected any formal authorization.
> Users concerned about this issue may immediately lock their systems down by creating ACL rules that allow links to be created only by authorized users. For instance the following ACL rules on each broker would provide the lockdown necessary:
> group proxies <id1> <id2> ...
> acl allow proxies create link
> acl deny-log all create link
> A better solution is for the ACL module to deny the creation of links unless ACL rules are specified to specifically allow them.
> In pseudo code the solution is in two parts. Part one observes CREATE LINK rules in the acl file. Part two authorizes link creation only if ACL is loaded, CREATE LINK ACL rules are specified, and the specific user is authorized to create the link in question:
> function readAclFile()
> ...
> if (CREATE LINK rules are specified)
> set acl->createLinkFlag
> endif
> ...
> end function
> function brokerCreateLink()
> if (aclLoaded)
> if (acl->createLinkFlag)
> if (acl->authorise(user, create, link, properties))
> <create link allowed>
> else
> <create link denied - not authorized>
> endif
> else
> <create link denied - acl did not specify a create link rule>
> endif
> else
> <create link denied - acl module not loaded>
> endif
> end function
> This Jira will track the implementation of this restriction.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org