Bugzilla – Bug 863706
obs: webui makes it appears as if you can set logged in users attributes everywhere
Last modified: 2014-02-14 01:44:54 UTC
reported by user Christian Eberl <christian.eberl@workingbits.at> Subject: possible security issue in OBS Hi Marcus, I'm currently trying to get my local OBS with maintenance running. Trying to follow http://openbuildservice.org/help/manuals/obs-reference-guide/cha.obs.maintenance_setup.html , I was looking for examples on build.opensuse.com - found yours on https://build.opensuse.org/project/show/home:msmeissn:branches:openSUSE:12.3:Update In your branch I checked prj.config, meta and attributes. There I noticed something strange: it seems I'm able to add/change attributes of your branch... https://build.opensuse.org/project/attributes/home:msmeissn:branches:openSUSE:12.3:Update Didn't verified if saving is possible (your project), but the link "Add a new attribute" is working as long as I'm logged in. Does not work with anonymous access. I'm not sure if this is by design, or I'm getting something wrong - just seems strange to me... Sorry, if this by design and I missed some documentation. Just felt to let you know. Chris
Hmm While I am able to set OBS:Maintained in https://build.opensuse.org/project/attributes/home:adrianSuSE but others did not work (did not try all) but I think this might be because I have write permissions for this attribute. Is the attribute permission logic documented? http://en.opensuse.org/openSUSE:Build_Service_Concept_AttributeStorage has parts of that?
Yes, each attribute can have different permissions. However, I wonder why Christian was able to really change something. I see that the Edit button is currently always enabled in webui, but the save operation should have failed. Just from looking at the code I do not see an error. Marcus, can you try to set OBS:BranchTarget in my home project via webui? if it does not work, this seems to be just about the always displayed edit button. And there might actually be attributes which he may be allowed to set in projects, where he is not a maintainer ....
My account is https://build.opensuse.org/user/show/chexx (in case you want to check permissions) to be clear: I did NOT try to modify anything, just wondered that I see the add-button which took me to attribute selection in WebUI. Besides the add, I also see modify/delete attribute in https://build.opensuse.org/project/attributes/openSUSE:13.1 ... I'm sure, that I should have no permission to that - just feels pretty strange that I see the UI for it, especially the delete button for existing attributes. Let me know if I should actually try to modify/test something...
feel free to test it in my home project home:adrianSuSE . I agree that the webui could test per attribute if the user can edit/add the attribute for showing the buttons. But that is only a usability thing, not a security issue.
tested in home:adrianSuSE all visible attributes (add, edit, delete) - all failed with permission denied except for OBS:ProjectStatusPackageFailComment which I left at value "Chris". Unsure, if I should be able to set this attribute, but it seems this turns out as a usability issue - sorry for any inconvenience.
adjusted summary and severity to match issue ;)