You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@karaf.apache.org by to...@quarendon.net on 2017/08/31 11:01:29 UTC
Potential security issue with default karaf console access control
lists?
Any user that can log on to the karaf console appears to be able to run the "shell:cat" command (among others), and hence view any file that the operating system user that's running the karaf process can see. Whilst there is access control on a few of the shell scope commands, it seems that the default access control allows any user to run things with no explicit access control.
This *feels* like a security issue to me.
I'd like to be able to restrict access to the shell completely, but from experiment and looking at the code it appears that anyone who has some kind of "role" assigned to them (either directly, or as a member of a group) appears to be able to connect to the karaf console, and hence can potentially navigate the visible filesystem. This doesn't feel very desirable.
It seems a shame that I can no longer restrict access to the console using the "sshRole" configuration property (still referenced in the documentation), but it seems that was removed when the role based access control was introduced.
Other than physically restricting access to the SSH port, are there other ways I can restrict access to the console? Or do I need to develop my own access control list for the shell scope, and accept that all users can potentially access the console?
Thanks.
Re: Potential security issue with default karaf console access
control lists?
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Yeah, thanks. I gonna fix that.
Regards
JB
On 08/31/2017 02:29 PM, tom@quarendon.net wrote:
> OK, JIRA created.
>
> I realise it's worse. I can *write* to files with "tac", so I can rewrite the users.properties file if I want to and create new users with admin priviledges. Cool.
>
>
>
>> On 31 August 2017 at 13:04 Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>>
>>
>> I agree: as we did for vi/edit command, we should limit cat to admin role.
>>
>> Can you create a Jira about that ?
>>
>> Thanks !
>> Regards
>> JB
>>
>> On 08/31/2017 01:01 PM, tom@quarendon.net wrote:
>>> Any user that can log on to the karaf console appears to be able to run the "shell:cat" command (among others), and hence view any file that the operating system user that's running the karaf process can see. Whilst there is access control on a few of the shell scope commands, it seems that the default access control allows any user to run things with no explicit access control.
>>>
>>> This *feels* like a security issue to me.
>>>
>>> I'd like to be able to restrict access to the shell completely, but from experiment and looking at the code it appears that anyone who has some kind of "role" assigned to them (either directly, or as a member of a group) appears to be able to connect to the karaf console, and hence can potentially navigate the visible filesystem. This doesn't feel very desirable.
>>>
>>> It seems a shame that I can no longer restrict access to the console using the "sshRole" configuration property (still referenced in the documentation), but it seems that was removed when the role based access control was introduced.
>>>
>>> Other than physically restricting access to the SSH port, are there other ways I can restrict access to the console? Or do I need to develop my own access control list for the shell scope, and accept that all users can potentially access the console?
>>>
>>> Thanks.
>>>
>>
>> --
>> Jean-Baptiste Onofré
>> jbonofre@apache.org
>> http://blog.nanthrax.net
>> Talend - http://www.talend.com
--
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com
Re: Potential security issue with default karaf console access
control lists?
Posted by to...@quarendon.net.
OK, JIRA created.
I realise it's worse. I can *write* to files with "tac", so I can rewrite the users.properties file if I want to and create new users with admin priviledges. Cool.
> On 31 August 2017 at 13:04 Jean-Baptiste Onofré <jb...@nanthrax.net> wrote:
>
>
> I agree: as we did for vi/edit command, we should limit cat to admin role.
>
> Can you create a Jira about that ?
>
> Thanks !
> Regards
> JB
>
> On 08/31/2017 01:01 PM, tom@quarendon.net wrote:
> > Any user that can log on to the karaf console appears to be able to run the "shell:cat" command (among others), and hence view any file that the operating system user that's running the karaf process can see. Whilst there is access control on a few of the shell scope commands, it seems that the default access control allows any user to run things with no explicit access control.
> >
> > This *feels* like a security issue to me.
> >
> > I'd like to be able to restrict access to the shell completely, but from experiment and looking at the code it appears that anyone who has some kind of "role" assigned to them (either directly, or as a member of a group) appears to be able to connect to the karaf console, and hence can potentially navigate the visible filesystem. This doesn't feel very desirable.
> >
> > It seems a shame that I can no longer restrict access to the console using the "sshRole" configuration property (still referenced in the documentation), but it seems that was removed when the role based access control was introduced.
> >
> > Other than physically restricting access to the SSH port, are there other ways I can restrict access to the console? Or do I need to develop my own access control list for the shell scope, and accept that all users can potentially access the console?
> >
> > Thanks.
> >
>
> --
> Jean-Baptiste Onofré
> jbonofre@apache.org
> http://blog.nanthrax.net
> Talend - http://www.talend.com
Re: Potential security issue with default karaf console access
control lists?
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
I agree: as we did for vi/edit command, we should limit cat to admin role.
Can you create a Jira about that ?
Thanks !
Regards
JB
On 08/31/2017 01:01 PM, tom@quarendon.net wrote:
> Any user that can log on to the karaf console appears to be able to run the "shell:cat" command (among others), and hence view any file that the operating system user that's running the karaf process can see. Whilst there is access control on a few of the shell scope commands, it seems that the default access control allows any user to run things with no explicit access control.
>
> This *feels* like a security issue to me.
>
> I'd like to be able to restrict access to the shell completely, but from experiment and looking at the code it appears that anyone who has some kind of "role" assigned to them (either directly, or as a member of a group) appears to be able to connect to the karaf console, and hence can potentially navigate the visible filesystem. This doesn't feel very desirable.
>
> It seems a shame that I can no longer restrict access to the console using the "sshRole" configuration property (still referenced in the documentation), but it seems that was removed when the role based access control was introduced.
>
> Other than physically restricting access to the SSH port, are there other ways I can restrict access to the console? Or do I need to develop my own access control list for the shell scope, and accept that all users can potentially access the console?
>
> Thanks.
>
--
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com