Auto provision rule does not enforce host group association to org/location
This was reported by Ori Rabin to foreman-security (thanks!) and a CVE identifier was filed under CVE-2015-3199, but it turned out this does not affect any released upstream version.
Steps to reproduce:
- log in with a user that has 2 locations (A, B)
- discover a host and make sure it is connected to location B
- create a hostgroup in location A
- create a discovery rule in location B to match the discovered host and use the hostgroup from 3
- log in with a user with permissions to location B only
- you can see in the discovery rules index page the rule with the hostgroup you created (you can't access the hostgroup)
- auto provision the discovered host
- go to hosts - the host was provisioned using a hostgroup the second user doesn't have permissions for
The rule creation should enforce that the selected host group is in the same org/location as the rule itself.
Optionally Discovery could also enforce that users must have view_hostgroups permissions for their target host group when using rules, but this isn't done in Foreman core today anyway - #4477, #6470 etc.
#9 Updated by Anonymous over 5 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset foreman_discovery|5cb015eb6ab9be490956af00300bdd1df94c8d18.