Project

General

Profile

Actions
Copy link

Bug #10469

closed

Auto provision rule does not enforce host group association to org/location

Added by Dominic Cleal about 9 years ago. Updated almost 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Lukas Zapletal
Category:
Discovery plugin
Difficulty:
Triaged:
Bugzilla link:
Pull request:
https://github.com/theforeman/foreman_discovery/pull/202
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

This was reported by Ori Rabin to foreman-security (thanks!) and a CVE identifier was filed under CVE-2015-3199, but it turned out this does not affect any released upstream version.

Steps to reproduce:
  1. log in with a user that has 2 locations (A, B)
  2. discover a host and make sure it is connected to location B
  3. create a hostgroup in location A
  4. create a discovery rule in location B to match the discovered host and use the hostgroup from 3
  5. log in with a user with permissions to location B only
  6. you can see in the discovery rules index page the rule with the hostgroup you created (you can't access the hostgroup)
  7. auto provision the discovered host
  8. go to hosts - the host was provisioned using a hostgroup the second user doesn't have permissions for

The rule creation should enforce that the selected host group is in the same org/location as the rule itself.

Optionally Discovery could also enforce that users must have view_hostgroups permissions for their target host group when using rules, but this isn't done in Foreman core today anyway - #4477, #6470 etc.

Related issues 1 (0 open1 closed)

Related to Discovery - Bug #9881: Discovery rules are not connected to taxonomies ClosedOri Rabin03/24/2015Actions
Actions
Copy link

Also available in: Atom PDF