You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "michael j. goulish (Resolved) (JIRA)" <ji...@apache.org> on 2011/10/14 17:42:11 UTC
[jira] [Resolved] (QPID-3528) qpid --help has wrong description of
sasl-config parameter
[ https://issues.apache.org/jira/browse/QPID-3528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
michael j. goulish resolved QPID-3528.
--------------------------------------
Resolution: Fixed
Fix Version/s: Future
"Fixed" -- sort of -- in r1183121 .
Well -- actually, the most offensive word in the help message -- "FILE" that should have been "DIR" -- was fixed earlier.
But this JIRA made me realize that there was what I consider to be a serious security flaw here, which I fixed. ( I probably should have made a new JIRA... )
The SASL library call sasl_set_path(), which is a recent addition to the library, does not check the validity of the path when it is called. If you give it a bad path, or one for which you have insufficient permissions, then the library will discover this later, and will then use the default location.
That's a gross security hole. That library should not default to anything. It should either use your intended SASL db, or fail noisily. We should never have a situation where a production user of our system starts up with a set of SASL usernames and passwords that is not what he expects.
The code that I put in before the sasl_set_path() call has that effect. It checks for existence and accessibility of the given directory -- and if it fails it will prevent broker start-up.
> qpid --help has wrong description of sasl-config parameter
> ----------------------------------------------------------
>
> Key: QPID-3528
> URL: https://issues.apache.org/jira/browse/QPID-3528
> Project: Qpid
> Issue Type: Bug
> Components: C++ Broker
> Affects Versions: 0.10
> Reporter: Pavel Moravec
> Assignee: michael j. goulish
> Priority: Trivial
> Labels: patch
> Fix For: Future
>
> Attachments: saslconfig-help.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> Description of problem:
> qpidd --help shows sasl-config option to specify filename of SASL config file.
> That is wrong as it specifies _directory_ (like /etc/sasl2) where qpidd.conf
> for SASL lies.
> man pages of qpid are correct:
> --sasl-config DIR
> gets sasl config info from nonstandard location
> Just qpidd --help is wrong.
> Version-Release number of selected component (if applicable):
> any (MRG 2.0 checked)
> How reproducible:
> 100%
> Steps to Reproduce:
> 1. qpidd --help | grep -A1 sasl
> Actual results:
> # qpidd --help | grep -A1 sasl
> --sasl-config FILE gets sasl config from
> nonstandard location
> #
> Expected results:
> # qpidd --help | grep -A1 sasl
> --sasl-config DIR (/etc/sasl2) gets sasl config from
> nonstandard directory
> #
> Additional info:
> Patch attached.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org