MAAS

  1. Bug #1459762
  2. Activity log

Activity log for bug #1459762

Date Who What changed Old value New value Message
2015-05-28 17:44:09 Scott Moser bug added bug
2015-06-06 03:40:38 Andres Rodriguez maas: status New Triaged
2015-06-06 03:40:39 Andres Rodriguez maas: importance Undecided Critical
2015-06-06 03:40:42 Andres Rodriguez maas: milestone 1.9.0
2015-06-16 19:30:17 Scott Moser description This is being run against maas-stable ppa # dpkg-query --show maas maas 1.7.3+bzr3363-0ubuntu1~trusty1 A non-admin user can acquire a system, change certain fields, and release the system. This could effectively DOS the use of the system. The fields i've verified i can change are: architecture hostname disable_ipv4 Not sure if others can be modified or not. But essentially the steps are: a.) maas <name> nodes acquire b.) maas <name> update <system_id> architecture=amd64/hwe-u c.) maas <name> node release <system_id> d.) maas <name> node read <system_id> 'd' is just there for verification that the change is permenent. See the attached script to show doing this. Its example output when run: $ ./go maas home-ubuntu nodes acquire acquired hostname=kearney.example.com system_id=node-79b67e82-d25c-11e4-a333-00163eca91de maas home-ubuntu node read node-79b67e82-d25c-11e4-a333-00163eca91de == kearney.example.com [acquired] == hostname: kearney.example.com system_id: node-79b67e82-d25c-11e4-a333-00163eca91de netboot: True osystem: storage: 160000 architecture: amd64/hwe-t disable_ipv4: False distro_series: applying architecture=amd64/hwe-u hostname=mychange.example.com disable_ipv4=True maas home-ubuntu node update node-79b67e82-d25c-11e4-a333-00163eca91de architecture=amd64/hwe-u hostname=mychange.example.com disable_ipv4=True maas home-ubuntu node read node-79b67e82-d25c-11e4-a333-00163eca91de == mychange.example.com [modified] == hostname: mychange.example.com system_id: node-79b67e82-d25c-11e4-a333-00163eca91de netboot: True osystem: storage: 160000 architecture: amd64/hwe-u disable_ipv4: True distro_series: maas home-ubuntu node release node-79b67e82-d25c-11e4-a333-00163eca91de maas home-ubuntu node read node-79b67e82-d25c-11e4-a333-00163eca91de == mychange.example.com [released] == hostname: mychange.example.com system_id: node-79b67e82-d25c-11e4-a333-00163eca91de netboot: True osystem: storage: 160000 architecture: amd64/hwe-u disable_ipv4: True distro_series: This is being run against maas-stable ppa   # dpkg-query --show maas   maas 1.7.3+bzr3363-0ubuntu1~trusty1 A non-admin user can acquire a system, change certain fields, and release the system. This could effectively DOS the use of the system. The fields i've verified i can change are:   architecture   hostname   disable_ipv4 Not sure if others can be modified or not. But essentially the steps are:  a.) maas <name> nodes acquire  b.) maas <name> update <system_id> architecture=amd64/hwe-u  c.) maas <name> node release <system_id>  d.) maas <name> node read <system_id> 'd' is just there for verification that the change is permenent. See the attached script to show doing this. Its example output when run: $ ./go maas home-ubuntu nodes acquire acquired hostname=kearney.example.com system_id=node-79b67e82-d25c-11e4-a333-00163eca91de maas home-ubuntu node read node-79b67e82-d25c-11e4-a333-00163eca91de == kearney.example.com [acquired] ==   hostname: kearney.example.com   system_id: node-79b67e82-d25c-11e4-a333-00163eca91de   netboot: True   osystem:   storage: 160000   architecture: amd64/hwe-t   disable_ipv4: False   distro_series: applying architecture=amd64/hwe-u hostname=mychange.example.com disable_ipv4=True maas home-ubuntu node update node-79b67e82-d25c-11e4-a333-00163eca91de architecture=amd64/hwe-u hostname=mychange.example.com disable_ipv4=True maas home-ubuntu node read node-79b67e82-d25c-11e4-a333-00163eca91de == mychange.example.com [modified] ==   hostname: mychange.example.com   system_id: node-79b67e82-d25c-11e4-a333-00163eca91de   netboot: True   osystem:   storage: 160000   architecture: amd64/hwe-u   disable_ipv4: True   distro_series: maas home-ubuntu node release node-79b67e82-d25c-11e4-a333-00163eca91de maas home-ubuntu node read node-79b67e82-d25c-11e4-a333-00163eca91de == mychange.example.com [released] ==   hostname: mychange.example.com   system_id: node-79b67e82-d25c-11e4-a333-00163eca91de   netboot: True   osystem:   storage: 160000   architecture: amd64/hwe-u   disable_ipv4: True   distro_series: Related bugs: * bug 1443644: hwe kernels should not be part of the architecture * bug 1437059: Deploy bulk actions needs the ability to specify architecture (so we can select hwe kernel)
2015-09-18 18:43:31 Jeffrey C Jones maas: assignee Jeffrey C Jones (trapnine)
2015-09-22 04:58:25 Launchpad Janitor branch linked lp:~trapnine/maas/b1459762
2015-09-22 05:09:29 Jeffrey C Jones maas: status Triaged In Progress
2015-09-23 13:15:28 MAAS Lander maas: status In Progress Fix Committed
2016-01-05 15:04:51 Andres Rodriguez maas: status Fix Committed Fix Released