Project

General

Profile

Actions

Bug #6921

closed

Non root/sudo users can execute some commands for katello-disconnected

Added by Partha Aji over 9 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Inter Server Sync
Target version:
Difficulty:
easy
Triaged:
Yes
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1024107
Description of problem:

Non-root user cannot run all commands for katello-disconnected, but can apparently execute enough that it can cause some minor havoc

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. create a new user, 'loser'
2. su - loser
3. As 'loser', run the setup command with appropriate oauth-key and oauth-secret, as viewble in /etc/pulp/server.conf.
4. attempt to run various katello-disconnected commands.

Actual results:
Some commands fail similar to:

[loser@hp-dl380pgen8-02-vm-15 ~]$ katello-disconnected list
Red Hat Repositories
/usr/share/katello-disconnected/lib/disconnected_pulp.rb:43:in `list': undefined method `enabled_repositories' for nil:NilClass (NoMethodError)
from /usr/bin/katello-disconnected:455:in `<main>'

Others, though, apparently do not! Comamands that seem to work:
katello-disconnected sync
katello-disconnected export (mostly works)
katello-disconnected clean

Note that running 'clean' tended to muff up my katello-disconnected stuff for future syncs (admin and non-admin alike), though that may be a different issue unrelated to privileges .

Expected results:
Probably shouldn't allow this.
Should pulp's server.conf be readable only by root/sudo?
Possibly make katello-disconnected only +x by root/sudo, though i guess nothing stops someone from being able to create a script from source.
Not sure if we want to handle that NoMethodError by non priv user to indicate they probably shouldn't be doing this.

Additional info:

Actions #2

Updated by Eric Helms over 9 years ago

  • Category changed from Web UI to Inter Server Sync
  • Target version set to 54
  • Difficulty set to easy
  • Triaged changed from No to Yes
  • Pull request https://github.com/Katello/katello-misc/pull/36 added
  • Pull request deleted ()
Actions #3

Updated by Eric Helms over 9 years ago

  • Status changed from New to Closed
Actions #4

Updated by Eric Helms over 9 years ago

  • translation missing: en.field_release set to 13
Actions

Also available in: Atom PDF