You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by "Igor Delac (Jira)" <ji...@apache.org> on 2023/07/27 07:43:00 UTC
[jira] [Created] (ZOOKEEPER-4727) zNode deleted despite not having access rights (zNode with ACL)
Igor Delac created ZOOKEEPER-4727:
-------------------------------------
Summary: zNode deleted despite not having access rights (zNode with ACL)
Key: ZOOKEEPER-4727
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4727
Project: ZooKeeper
Issue Type: Bug
Components: java client, server
Affects Versions: 3.8.1
Reporter: Igor Delac
Hello,
I've found a problem with Zookeeper, allowing any client to delete a zNode regardless of the ACL set for the zNode.
I'm not sure if this issue is for the ordinary JIRA ticket, or the issue is a vulnerability problem.
Here are steps I used, to reproduce the problem:
1) Create zNode /users.
2) Create zNode /users/john.
[zk: localhost:2181(CONNECTED) 1] create /users
Created /users
[zk: localhost:2181(CONNECTED) 2] create /users/john
3) Set auth.scheme digest, with password 'john123' on the zNode /users/john.
3.1) Generate digest for the user john and password john123.
root@dev-id-client:/opt/zookeeper-3.8.2# java -classpath 'lib/*' org.apache.zookeeper.server.auth.DigestAuthenticationProvider john:john123
16:02:56.377 [main] INFO org.apache.zookeeper.server.auth.DigestAuthenticationProvider - ACL digest algorithm is: SHA1
john:john123->john:SNEZzLxGQHaYcjRvU8KnG1WX9rU=
root@dev-id-client:/opt/zookeeper-3.8.2#
3.2) Assign ACL for the zNode /users/john.
[zk: localhost:2181(CONNECTED) 6] setAcl /users/john digest:john:SNEZzLxGQHaYcjRvU8KnG1WX9rU=:cdrwa
[zk: localhost:2181(CONNECTED) 7]
4) Test the access to the zNode /users/john. Try to read the ACL.
[zk: localhost:2181(CONNECTED) 7] getAcl /users/john
Insufficient permission : /users/john
[zk: localhost:2181(CONNECTED) 8]
Here the response makes sense. Because of the zNode ACL set, access is denied.
5) Try to delete the zNode /users/john.
[zk: localhost:2181(CONNECTED) 8] delete /users/john
[zk: localhost:2181(CONNECTED) 9]
I'd expect here to see *Insufficient permission* message.
6) Verify that zNode was successfully deleted.
[zk: localhost:2181(CONNECTED) 9] stat /users/john
Node does not exist: /users/john
[zk: localhost:2181(CONNECTED) 10]
7) whoami command shows the following.
[zk: localhost:2181(CONNECTED) 10] whoami
Auth scheme: User
ip: 127.0.0.1
[zk: localhost:2181(CONNECTED) 11]
In my opinion, delete operation should not be possible if the zNode access was rejected, eg. *getAcl* fails with {*}Insufficient permission : /users/john{*}.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)