Eucalyptus

not applying access authorisation checks

Bug #388934 reported by robb1e
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Eucalyptus
Fix Released
Undecided
Unassigned
eucalyptus (Ubuntu)
Fix Released
High
Dustin Kirkland 

Bug Description

When using the portal to disable a user, the certs and keys are still valid and that user can still create and terminate instances.

Cheers

Robbie

Revision history for this message
Neil Soman (neilsoman) wrote :

I've re-targeted to 1.6

If you are using the 1.6 development and have existing users that you care about, credentials will not work. Hopefully, this is a non issue since folks are probably not using the 1.6 development branch in production. If you want your existing users to work, you need to login to the web interface as admin and click "disable" on each user, then "enable" again.

------------------------------------------------------------
revno: 900
committer: Neil <neil@pall>
branch nick: 1.6
timestamp: Mon 2009-09-28 11:55:06 -0700
message:
  fixes #388934

Changed in eucalyptus:
status: New → Fix Committed
Dustin Kirkland  (kirkland)
Changed in eucalyptus (Ubuntu):
status: New → Triaged
importance: Undecided → High
Matt Zimmerman (mdz)
security vulnerability: no → yes
Dustin Kirkland  (kirkland)
Changed in eucalyptus (Ubuntu):
status: Triaged → In Progress
assignee: nobody → Dustin Kirkland (kirkland)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package eucalyptus - 1.6~bzr912-0ubuntu1

---------------
eucalyptus (1.6~bzr912-0ubuntu1) karmic; urgency=low

  * Merge upstream revision 912
  * tools/eucalyptus-cc.in: resolve conflict, ensuring that we maintain
    the 'ThreadsPerChild 1' sed
  * clc/modules/www/src/main/java/edu/ucsb/eucalyptus/admin/server/ServletUtils.java:
    resolve conflict, drop our diff, as upstream has solved the smtp
    hostname issue
  * debian/patches/boot-order.patch: dropped, applies to a file we don't
    use anymore so it can be removed
  * debian/eucalyptus-walrus.eucalyptus-walrus-registration.upstart: source
    conf file and use $WALRUS_IP_ADDR variable, like the other scripts
  * This snapshot is expected to fix the following bugs:
    - LP: #388934 - apply authorization checks
    - LP: #430226 - fix display of image permissions
    - LP: #430957 - fix running of instances in SYSTEM mode
    - LP: #436276 - sc should run as eucalyptus, instead of root
    - LP: #436313 - fix sc registration through web ui
    - LP: #436407 - fix cc segfaults with apache-mpm-worker, rampart
    - LP: #436885 - fix database corruption, c3p0 deadlock on CLC
    - LP: #437014 - handle execessive CLC sockets
    - LP: #439251 - fix restart-required after autoregistration issue
    - LP: #440744 - handle external command
    - LP: #440817 - fail gracefully with volume deletion on sc
    - LP: #443125 - fix loss of admin credentials

 -- Dustin Kirkland <email address hidden> Mon, 05 Oct 2009 15:02:11 -0500

Changed in eucalyptus (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
chris grzegorczyk (chris-grze) wrote :

Fix the NULL case handling in r912.

------------------------------------------------------------
revno: 912
committer: decker <decker@personal-army>
branch nick: 1.6
timestamp: Mon 2009-10-05 08:47:37 -0700
message:
  fix user lookup.
------------------------------------------------------------

graziano obertelli (graziano.obertelli)
Changed in eucalyptus:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.