You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cloudstack.apache.org by Marcus Sorensen <sh...@gmail.com> on 2013/11/26 17:28:01 UTC

HELP with CLOUDSTACK-5145 security issue

Is there anyone who can help with CLOUDSTACK-5145?  There's a security
issue with 4.2+ due to the new ACL design. Anyone listing ACLs sees
ALL ACLs in the system, and if a network has no ACLs then filtering by
network also lists ALL ACLs. As you can imagine, this causes a lot of
problems.  I could hack together some joins to link network_acl,
network_acl_item, and vpc tables to get the account owning the acls,
but I also see this ''_accountMgr.buildACLSearchBuilder" which seems
to be commented out of the list code. I'm wondering if there's a more
elegant way to do it.

Re: HELP with CLOUDSTACK-5145 security issue

Posted by Marcus Sorensen <sh...@gmail.com>.

The bug was raised (CLOUDSTACK-5145), but not closed, so I assumed it
was still open.

On Tue, Nov 26, 2013 at 1:46 PM, Alena Prokharchyk
<Al...@citrix.com> wrote:
> I believe this bug was raised in the community list before, and fixed by Kishan. Kishan, please comment.
>
> -Alena.
> From: Marcus Sorensen <sh...@gmail.com>>
> Reply-To: "dev@cloudstack.apache.org<ma...@cloudstack.apache.org>" <de...@cloudstack.apache.org>>
> Date: Tuesday, November 26, 2013 8:28 AM
> To: "dev@cloudstack.apache.org<ma...@cloudstack.apache.org>" <de...@cloudstack.apache.org>>
> Subject: HELP with CLOUDSTACK-5145 security issue
>
> Is there anyone who can help with CLOUDSTACK-5145?  There's a security
> issue with 4.2+ due to the new ACL design. Anyone listing ACLs sees
> ALL ACLs in the system, and if a network has no ACLs then filtering by
> network also lists ALL ACLs. As you can imagine, this causes a lot of
> problems.  I could hack together some joins to link network_acl,
> network_acl_item, and vpc tables to get the account owning the acls,
> but I also see this ''_accountMgr.buildACLSearchBuilder" which seems
> to be commented out of the list code. I'm wondering if there's a more
> elegant way to do it.
>

Re: HELP with CLOUDSTACK-5145 security issue

Posted by Alena Prokharchyk <Al...@citrix.com>.

I believe this bug was raised in the community list before, and fixed by Kishan. Kishan, please comment.

-Alena.
From: Marcus Sorensen <sh...@gmail.com>>
Reply-To: "dev@cloudstack.apache.org<ma...@cloudstack.apache.org>" <de...@cloudstack.apache.org>>
Date: Tuesday, November 26, 2013 8:28 AM
To: "dev@cloudstack.apache.org<ma...@cloudstack.apache.org>" <de...@cloudstack.apache.org>>
Subject: HELP with CLOUDSTACK-5145 security issue

Is there anyone who can help with CLOUDSTACK-5145?  There's a security
issue with 4.2+ due to the new ACL design. Anyone listing ACLs sees
ALL ACLs in the system, and if a network has no ACLs then filtering by
network also lists ALL ACLs. As you can imagine, this causes a lot of
problems.  I could hack together some joins to link network_acl,
network_acl_item, and vpc tables to get the account owning the acls,
but I also see this ''_accountMgr.buildACLSearchBuilder" which seems
to be commented out of the list code. I'm wondering if there's a more
elegant way to do it.