MAAS

Normal users can read machine details of owned machines

Bug #1811799 reported by Björn Tillenius on 2019-01-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	MAAS	Fix Released	High	Unassigned	MAAS 3.4.0-beta1

Bug Description

This is with MAAS 2.5.1-7489-g2f25a2cc0-0ubuntu1~18.04.1.

Normal users can't see machines if they have a different
owner than themselves.

But if they know the system id, they can get the machine details:

maas <login> machine details <system_id>

Tags:

Related branches

~igor-brovtsin/maas:lp-1811799

Merged into maas:master

Björn Tillenius: Approve on 2022-11-21

MAAS Lander: Approve on 2022-11-18

Björn Tillenius (bjornt) on 2019-01-15

Changed in maas:
status:	New → Triaged
importance:	Undecided → High
milestone:	none → 2.5.1
summary:	- [2.5] Normal users can read machine details of owned machines + [2.5, API] Normal users can read machine details of owned machines
tags:	added: api

Revision history for this message

Andres Rodriguez (andreserl) wrote on 2019-01-15: Re: [2.5, API] Normal users can read machine details of owned machines

I think this is an actual issue with non-RBAC MAAS too.

Andres Rodriguez (andreserl) on 2019-01-15

tags:

added: rbac

Revision history for this message

Björn Tillenius (bjornt) wrote on 2019-01-15:

Yes, this is an issue with non-RBAC as well. That's why I didn't mention RBAC here.

Andres Rodriguez (andreserl) on 2019-01-16

Changed in maas:
milestone:	2.5.1 → 2.5.2

Andres Rodriguez (andreserl) on 2019-02-21

Changed in maas:
milestone:	2.5.2 → 2.5.3

Andres Rodriguez (andreserl) on 2019-04-22

Changed in maas:
milestone:	2.5.3 → 2.6.0beta2

Andres Rodriguez (andreserl) on 2019-04-27

Changed in maas:
milestone:	2.6.0beta2 → 2.6.0rc1

Andres Rodriguez (andreserl) on 2019-05-28

Changed in maas:
milestone:	2.6.0rc1 → 2.6.0rc2

Andres Rodriguez (andreserl) on 2019-06-10

Changed in maas:
milestone:	2.6.0rc2 → 2.7.0alpha1

Adam Collard (adam-collard) on 2019-12-04

Changed in maas:
milestone:	2.7.0b1 → 2.7.0b2

Adam Collard (adam-collard) on 2019-12-18

Changed in maas:
milestone:	2.7.0b2 → none

Alberto Donato (ack) on 2022-11-21

summary:

- [2.5, API] Normal users can read machine details of owned machines
+ Normal users can read machine details of owned machines

MAAS Lander (maas-lander) on 2022-11-21

Changed in maas:
milestone:	none → 3.4.0
status:	Triaged → Fix Committed

Alberto Donato (ack) on 2023-04-27

Changed in maas:
milestone:	3.4.0 → 3.4.0-beta1

Alberto Donato (ack) on 2023-05-16

Changed in maas:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.