You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "michael j. goulish (Resolved) (JIRA)" <ji...@apache.org> on 2011/10/14 17:42:11 UTC

[jira] [Resolved] (QPID-3528) qpid --help has wrong description of sasl-config parameter

     [ https://issues.apache.org/jira/browse/QPID-3528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

michael j. goulish resolved QPID-3528.
--------------------------------------

       Resolution: Fixed
    Fix Version/s: Future

"Fixed" -- sort of -- in r1183121 .

Well -- actually, the most offensive word in the help message -- "FILE" that should have been "DIR" -- was fixed earlier.

But this JIRA made me realize that there was what I consider to be a serious security flaw here, which I fixed.  ( I probably should have made a new JIRA... )

The SASL library call sasl_set_path(), which is a recent addition to the library, does not check the validity of the path when it is called.  If you give it a bad path, or one for which you have insufficient permissions, then the library will discover this later, and will then use the default location.

That's a gross security hole.  That library should not default to anything.  It should either use your intended SASL db, or fail noisily. We should never have a situation where a production user of our system starts up with a set of SASL usernames and passwords that is not what he expects.

The code that I put in before the sasl_set_path() call has that effect.  It checks for existence and accessibility of the given directory -- and if it fails it will prevent broker start-up.


                
> qpid --help has wrong description of sasl-config parameter
> ----------------------------------------------------------
>
>                 Key: QPID-3528
>                 URL: https://issues.apache.org/jira/browse/QPID-3528
>             Project: Qpid
>          Issue Type: Bug
>          Components: C++ Broker
>    Affects Versions: 0.10
>            Reporter: Pavel Moravec
>            Assignee: michael j. goulish
>            Priority: Trivial
>              Labels: patch
>             Fix For: Future
>
>         Attachments: saslconfig-help.patch
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> Description of problem:
> qpidd --help shows sasl-config option to specify filename of SASL config file.
> That is wrong as it specifies _directory_ (like /etc/sasl2) where qpidd.conf
> for SASL lies.
> man pages of qpid are correct:
>        --sasl-config DIR
>               gets sasl config info from nonstandard location
> Just qpidd --help is wrong.
> Version-Release number of selected component (if applicable):
> any (MRG 2.0 checked)
> How reproducible:
> 100%
> Steps to Reproduce:
> 1. qpidd --help | grep -A1 sasl
> Actual results:
> # qpidd --help | grep -A1 sasl
>   --sasl-config FILE                                  gets sasl config from 
>                                                       nonstandard location
> #
> Expected results:
> # qpidd --help | grep -A1 sasl
>   --sasl-config DIR (/etc/sasl2)                     gets sasl config from 
>                                                      nonstandard directory
> #
> Additional info:
> Patch attached.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org