hostname, architecture, disable_ipv4 can be permenantly changed by non-admin user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MAAS |
Fix Released
|
Critical
|
Jeffrey C Jones |
Bug Description
This is being run against maas-stable ppa
# dpkg-query --show maas
maas 1.7.3+bzr3363-
A non-admin user can acquire a system, change certain fields, and release the
system. This could effectively DOS the use of the system.
The fields i've verified i can change are:
architecture
hostname
disable_ipv4
Not sure if others can be modified or not. But essentially the steps are:
a.) maas <name> nodes acquire
b.) maas <name> update <system_id> architecture=
c.) maas <name> node release <system_id>
d.) maas <name> node read <system_id>
'd' is just there for verification that the change is permenent.
See the attached script to show doing this. Its example output when run:
$ ./go
maas home-ubuntu nodes acquire
acquired hostname=
maas home-ubuntu node read node-79b67e82-
== kearney.example.com [acquired] ==
hostname: kearney.example.com
system_id: node-79b67e82-
netboot: True
osystem:
storage: 160000
architecture: amd64/hwe-t
disable_ipv4: False
distro_series:
applying architecture=
maas home-ubuntu node update node-79b67e82-
maas home-ubuntu node read node-79b67e82-
== mychange.
hostname: mychange.
system_id: node-79b67e82-
netboot: True
osystem:
storage: 160000
architecture: amd64/hwe-u
disable_ipv4: True
distro_series:
maas home-ubuntu node release node-79b67e82-
maas home-ubuntu node read node-79b67e82-
== mychange.
hostname: mychange.
system_id: node-79b67e82-
netboot: True
osystem:
storage: 160000
architecture: amd64/hwe-u
disable_ipv4: True
distro_series:
Related bugs:
* bug 1443644: hwe kernels should not be part of the architecture
* bug 1437059: Deploy bulk actions needs the ability to specify architecture (so we can select hwe kernel)
Related branches
- Gavin Panella (community): Approve
- Blake Rouse (community): Approve
-
Diff: 275 lines (+63/-34)3 files modifiedsrc/maasserver/api/nodes.py (+5/-4)
src/maasserver/api/tests/test_node.py (+30/-22)
src/maasserver/api/tests/test_nodes.py (+28/-8)
Changed in maas: | |
status: | New → Triaged |
importance: | Undecided → Critical |
milestone: | none → 1.9.0 |
description: | updated |
Changed in maas: | |
assignee: | nobody → Jeffrey C Jones (trapnine) |
Changed in maas: | |
status: | Triaged → In Progress |
Changed in maas: | |
status: | In Progress → Fix Committed |
Changed in maas: | |
status: | Fix Committed → Fix Released |