authz_ownership not checking permissions correctly on system creation
by Kyle Flavin
I've been experimenting with the ownership features in Cobbler, using the authz_ownership module.
My users.conf looks like this:
[admins]
admin = ""
cobbler = ""
[mygroup]
myuser = ""
I'm seeing a problem where "myuser" can edit systems in the WebUI, owned by "mygroup" that already exist, but "myuser" can't create new systems. I get an authorization error, that seems to be tied back to item_system.py, which loads the obj.owners as the string "<<inherit>>" for a new system object (even if I try to create the object with group "mygroup"). The function __is_user_allowed() seems to expect a list here, and ends up iterating over this string, and incorrectly checks for user/group matches against each character in the string - ie: "<". Not sure if this is a known issue? I'm running 2.6.9 on my server (latest from the EPEL repos), but it looks like it's unchanged in the latest version up on github as well. Is this a bug?
The code snippet is here. When creating a system, obj.owners is a string containing "<<inherit>>":
def __is_user_allowed(obj, groups, user, resource, arg1, arg2):
if user == "<DIRECT>":
# system user, logged in via web.ss
return True
for group in groups:
if group in [ "admins", "admin" ]:
return True
if obj.owners == []:
return True
for allowed in obj.owners:
if user == allowed:
# user match
return True
# else look for a group match
for group in groups:
if group == allowed:
return True
return 0
Thanks,
Kyle
8 years, 7 months