StarlingX

fmClientCli access available for non-admin users

Bug #1991118 reported by João Victor Portal on 2022-09-28

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Low	João Victor Portal

Bug Description

Brief Description
-----------------
The fmClientCli binary, that can create and delete alarms, is available for non-admin Linux users.

Severity
--------
Minor

Steps to Reproduce
------------------
Execute fmClientCli with a non-admin Linux user.

Expected Behavior
------------------
The binary should not execute.

Actual Behavior
----------------
The binary is executed.

Reproducibility
---------------
100% reproducible.

System Configuration
--------------------
Any.

Branch/Pull Time/Commit
-----------------------
N/A.

Last Pass
---------
N/A.

Timestamp/Logs
--------------
N/A.

Test Activity
-------------
Developer Testing.

Workaround
----------
N/A.

Tags:

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2022-09-30:

screening: minor / stx.8.0 - related to https://storyboard.openstack.org/#!/story/2010149

information type:	Private Security → Public Security
Changed in starlingx:
importance:	Undecided → Low
tags:	added: stx.8.0 stx.security
Changed in starlingx:
assignee:	nobody → João Victor Portal (jvictorp)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-10-03: Fix merged to fault (master)

Reviewed: https://review.opendev.org/c/starlingx/fault/+/859299
Committed: https://opendev.org/starlingx/fault/commit/74d56e72a05a21bcb1ef6d7e33516e8ee4414fee
Submitter: "Zuul (22348)"
Branch: master

commit 74d56e72a05a21bcb1ef6d7e33516e8ee4414fee
Author: Joao Victor Portal <email address hidden>
Date: Mon Sep 26 11:00:57 2022 -0300

Restrict fmClientCli binary permissions

    The fmClientCli binary can create and delete alarms freely on the
    system, so the access to this binary should be restricted to Linux admin
    users.

Test Plan:

    PASS: Deploy an AIO-SX using a Debian image containing this change and
    check that the permissions for file "/usr/local/bin/fmClientCli" is
    "-rwxr-x---" and the owner:group is root:root.
    PASS: Repeat the test above using a CentOS image.

    Closes-Bug: 1991118
    Signed-off-by: Joao Victor Portal <email address hidden>
    Change-Id: I0375ddc68ae1b5967447a326780272f77695793a

Changed in starlingx:
status:	New → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.