You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@vcl.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2014/02/07 21:00:26 UTC
[jira] [Commented] (VCL-745) Windows.pm user_logged_in does not
check for imaging requests
[ https://issues.apache.org/jira/browse/VCL-745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13894947#comment-13894947 ]
ASF subversion and git services commented on VCL-745:
-----------------------------------------------------
Commit 1565780 from [~arkurth] in branch 'vcl/trunk'
[ https://svn.apache.org/r1565780 ]
VCL-745
Added check to Windows.pm::user_logged_in to use the 'Administrator' username for imaging requests.
VCL-746
Updated Windows.pm::get_service_configuration to copy the reg export text file from the remote computer to the management node and then retrieve its contents locally.
Added OS.pm::copy_file_from subroutine. This is called from get_service_configuration.
Other
Removed duplicate call to update_public_ip_address in Windows.pm::post_load.
> Windows.pm user_logged_in does not check for imaging requests
> -------------------------------------------------------------
>
> Key: VCL-745
> URL: https://issues.apache.org/jira/browse/VCL-745
> Project: VCL
> Issue Type: Bug
> Components: vcld (backend)
> Affects Versions: 2.3.2
> Reporter: Andy Kurth
> Priority: Minor
> Fix For: 2.4
>
>
> During the period when a reservation is in the reserved state, the check_connection_on_port subroutine in Windows.pm detects when a connection is made on the port corresponding to the conection method (3389 in this case). When a connection is detected, check_connection_on_port also checks if the connection is from the same IP address which was captured by the website when the user clicked Connect. The IP addresses normally match but in some cases such as when a VPN is used they may be different. When different, an additional step is performed to call the user_logged_in subroutine in Windows.pm to retrieve the names of the users logged in to the reservation computer. This is necessary because the firewall is open to any address during this period. Someone doing a port scan may connect to the computer. We need to verify that the connection is from the actual user by checking if a user matching the reservation username is logged in. If the reservation user is logged in, it is assumed that the the VPN situation occured and the IP address the user connected from is assumed to be correct and the firewall is configured properly.
> As you know, for imaging requests the "Administrator" user is used to login to the reservation instead of the normal username. The user_logged_in subroutine uses the normal username if no argument is supplied without checking if this is an imaging requests or not. As a result, it never detects that Administrator is logged in. After the loop times out, the firewall is locked down to the IP address retrieved from the website.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)