You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by feifei0814a <87...@qq.com> on 2017/12/27 12:03:16 UTC
how to prohibit common users to change ther permissions througth
api
I installed guacacmole in my vm-computer whose system is Centos7 and I can
log in and connect to appointed computers with mysql database.Now, I am
using python flask framework to add users and connections through api auth.
I can change any users' permission through the original API,it looks
likehttp://192.168.20.137:8080/guacamole/api/session/data/mysql/users/seu_test/permissions/?token=283B83044A770DE379D25780674B99225801C2DC5A03DCF358E349DCF5738E8E
<http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/file/t476/1.png>
So, any person who knows the api can change his permission, and it is very
dangerous to my python web program.
<http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/file/t476/2.png>
I found a website and also uses guacamole, however common users can not
change their permissions.and the info is:
HTTP Status 500 - org.apache.guacamole.GuacamoleSecurityException:
Permission denied.
*type* Exception report
*message* _org.apache.guacamole.GuacamoleSecurityException: Permission
denied._
*description* _The server encountered an internal error that prevented it
from fulfilling this request._
*exception*
javax.servlet.ServletException:
org.apache.guacamole.GuacamoleSecurityException: Permission denied.
com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:420)
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:263)
com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:178)
com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91)
com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:62)
com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:118)
com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:113)
*root cause*
org.apache.guacamole.GuacamoleSecurityException: Permission denied.
org.apache.guacamole.auth.jdbc.permission.ModeledObjectPermissionService.createPermissions(ModeledObjectPermissionService.java:138)
org.apache.guacamole.auth.jdbc.permission.ObjectPermissionSet.addPermissions(ObjectPermissionSet.java:113)
org.apache.guacamole.rest.permission.PermissionSetPatch.apply(PermissionSetPatch.java:87)
org.apache.guacamole.rest.permission.PermissionSetResource.patchPermissions(PermissionSetResource.java:273)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$VoidOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:167)
com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
com.sun.jersey.server.impl.uri.rules.SubLocatorRule.accept(SubLocatorRule.java:137)
com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
com.sun.jersey.server.impl.uri.rules.SubLocatorRule.accept(SubLocatorRule.java:137)
com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
com.sun.jersey.server.impl.uri.rules.SubLocatorRule.accept(SubLocatorRule.java:137)
com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
com.sun.jersey.server.impl.uri.rules.SubLocatorRule.accept(SubLocatorRule.java:137)
com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
com.sun.jersey.server.impl.uri.rules.SubLocatorRule.accept(SubLocatorRule.java:137)
com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:716)
javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:263)
com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:178)
com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91)
com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:62)
com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:118)
com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:113)
*note* _The full stack trace of the root cause is available in the Apache
Tomcat/7.0.69 logs._
Apache Tomcat/7.0.69
I really want to know if I can have similar function how to change the
source code. Or there is some settings to be set in guacamole which I don't
know.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: how to prohibit common users to change ther permissions througth api
Posted by Nick Couchman <vn...@apache.org>.
On Wed, Dec 27, 2017 at 21:59 feifei0814a <87...@qq.com> wrote:
> <p>I know you said users cannot change their own permissions on the HTML5
> website, it looks just like </p>
> <
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/file/t476/44.png
> >
> <p>and my admin user's page is</p>
> <
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/file/t476/55.png
> >
> <p>and the user 'seu_test' has no permissions</p>
> <
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/file/t476/66.png
> >
>
> <p>And I can change user 'seu_test' permission through the API use PATCH
> function with HTML in postman tool</p>
> <
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/file/t476/88.png
> >
> <p>You can find that the responce is 204 and the user 'seu_test' now has
> the
> administer permission.</p>
> <
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/file/t476/99.png
> >
Are you absolutely certain, when running this through postman, that the
token you're using belongs to the seu_test user, and not to the guacadmin
user? The screenshots did not provide enough detail to verify that you're
using the correct token from the correct logon for toys operation.
-Nick
>
> <p>I download the guacamole-client and auth-jdbc from official website and
> the version is 0.9.13. So, I don't know how to change the source code in
> order to forbid common users change their permission through the API with
> patch function</p>
>
>
>
>
>
>
>
>
>
> --
> Sent from:
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
>
Re: how to prohibit common users to change ther permissions
througth api
Posted by feifei0814a <87...@qq.com>.
<p>I know you said users cannot change their own permissions on the HTML5
website, it looks just like </p>
<http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/file/t476/44.png>
<p>and my admin user's page is</p>
<http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/file/t476/55.png>
<p>and the user 'seu_test' has no permissions</p>
<http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/file/t476/66.png>
<p>And I can change user 'seu_test' permission through the API use PATCH
function with HTML in postman tool</p>
<http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/file/t476/88.png>
<p>You can find that the responce is 204 and the user 'seu_test' now has the
administer permission.</p>
<http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/file/t476/99.png>
<p>I download the guacamole-client and auth-jdbc from official website and
the version is 0.9.13. So, I don't know how to change the source code in
order to forbid common users change their permission through the API with
patch function</p>
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: how to prohibit common users to change ther permissions througth api
Posted by Mike Jumper <mi...@guac-dev.org>.
On Wed, Dec 27, 2017 at 4:03 AM, feifei0814a <87...@qq.com> wrote:
> I installed guacacmole in my vm-computer whose system is Centos7 and I can
> log in and connect to appointed computers with mysql database. Now, I am
> using python flask framework to add users and connections through api auth.
> I can change any users' permission through the original API,it looks like
> http://192.168.20.137:8080/guacamole/api/session/data/
> mysql/users/seu_test/permissions/?token=283B83044A770DE379D25780674B99
> 225801C2DC5A03DCF358E349DCF5738E8E So, any person who knows the api can
> change his permission, and it is very dangerous to my python web program.
No, this is incorrect. Users cannot change their own permissions unless
they actually have permission to do so. Guacamole enforces all permissions,
including permissions which dictate whether a particular user account can
be modified by the current user. As long as you don't grant your users
admin permissions, they will not have admin permissions.
See:
http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-schema-permissions
- Mike