OpenStack Shared File Systems Service (Manila)

Cross project access rules and their metadata can be retrieved by ID

Bug #1917417 reported by Goutham Pacha Ravi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Shared File Systems Service (Manila)
Fix Released
Medium
Goutham Pacha Ravi
OpenStack Shared File Systems Service (Manila) wallaby-3

Bug Description

Description
===========
A non privileged user of a project can use the access rules API introduced in version 2.45 to retrieve access rules, and modify the metadata of these access rules with the ID of the access rules.

Security Impact: In order to act maliciously, a rule ID is required. Rule IDs are UUIDs and are unguessable, and a brute force attack is improbable. Access IDs are available only with reference to a share whose UUID you need to know as well. So per the OpenStack VMT guidelines this bug qualifies as a Class C1 vulnerability. - Not considered a practical vulnerability (but some people might assign a CVE for it), e.g. one depending on UUID guessing

Steps to reproduce
==================

* Create a share as user "demo" belonging to project "demo"
* Create an access rule for the share, record its UUID
* Obtain an API token as user "alt_demo" belonging to project "alt_demo"
* Execute GET /share-access-rules/<rule_id> with the token
* Execute PUT /share-access-rules/<rule_id>/metadata with the token

Expected result
===============
403 Forbidden

Actual result
=============
200 OK
With access rule information

Environment
===========
1. Affected Branches: Rocky-Victoria, Main/Wallaby

Goutham Pacha Ravi (gouthamr)
Changed in manila:
assignee: nobody → Goutham Pacha Ravi (gouthamr)
milestone: none → wallaby-3
importance: Undecided → Medium
Revision history for this message
Goutham Pacha Ravi (gouthamr) wrote :

Fix prosed to master:
    RBAC tightening for share access rule
    https://review.opendev.org/c/openstack/manila/+/778143

tags: added: backport-potential rocky-backport-potential stein-backport-potential train-backport-potential ussuri-backport-potential victoria-backport-potential
Vida Haririan (vhariria)
Changed in manila:
status: New → Fix Released
Goutham Pacha Ravi (gouthamr)
tags: added: rbac
Goutham Pacha Ravi (gouthamr)
tags: added: wallaby-rc-bugsquash
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila 12.0.0.0rc1

This issue was fixed in the openstack/manila 12.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/manila/+/780092
Committed: https://opendev.org/openstack/manila/commit/ff97dc01a8a1679fbef2d8aba4d64ce5f4506403
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit ff97dc01a8a1679fbef2d8aba4d64ce5f4506403
Author: Goutham Pacha Ravi <email address hidden>
Date: Mon Mar 1 23:05:56 2021 -0800

    RBAC tightening for share access rule

    Non privileged users of unrelated projects
    must not be able to retrieve details of an
    access rule. We can add a further check to
    /share-access-rules APIs to validate that
    the caller has access to the share that these
    rules pertain to.

    Change-Id: I0009a3d682ee5d9a946821c3f82dfd90faa886aa
    Closes-Bug: #1917417
    Signed-off-by: Goutham Pacha Ravi <email address hidden>
    (cherry picked from commit fc0f669decd3a7c6de2e7b4b01a727764b927a3b)
    (cherry picked from commit 3b372323467f6523d65188574d1c74f3c1f07e4b)

tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (stable/train)

Reviewed: https://review.opendev.org/c/openstack/manila/+/780093
Committed: https://opendev.org/openstack/manila/commit/a8f334f350892627302ac37b361af4587643d415
Submitter: "Zuul (22348)"
Branch: stable/train

commit a8f334f350892627302ac37b361af4587643d415
Author: Goutham Pacha Ravi <email address hidden>
Date: Mon Mar 1 23:05:56 2021 -0800

    RBAC tightening for share access rule

    Non privileged users of unrelated projects
    must not be able to retrieve details of an
    access rule. We can add a further check to
    /share-access-rules APIs to validate that
    the caller has access to the share that these
    rules pertain to.

    Change-Id: I0009a3d682ee5d9a946821c3f82dfd90faa886aa
    Closes-Bug: #1917417
    Signed-off-by: Goutham Pacha Ravi <email address hidden>
    (cherry picked from commit fc0f669decd3a7c6de2e7b4b01a727764b927a3b)
    (cherry picked from commit 3b372323467f6523d65188574d1c74f3c1f07e4b)
    (cherry picked from commit ff97dc01a8a1679fbef2d8aba4d64ce5f4506403)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila 10.1.0

This issue was fixed in the openstack/manila 10.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila 11.1.0

This issue was fixed in the openstack/manila 11.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on manila (stable/stein)

Change abandoned by "Goutham Pacha Ravi <email address hidden>" on branch: stable/stein
Review: https://review.opendev.org/c/openstack/manila/+/780094
Reason: Branch retired

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila train-eol

This issue was fixed in the openstack/manila train-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.