Grouper Developers Forum

[Chris Hyzer <>]

Tim has uncovered a security problem in Grouper WS.  The issue allows unprivileged users to see grouper privileges on folders and for ADMIN users on groups.  If you have this set in the grouper-ws.properties (or some other way to limit who has access to WS), it will limit the exposure:

 

ws.client.user.group.name 

 

This affects all versions of Grouper WS: 1.4, 1.5, 1.6, 2.0, 2.1.  There is a patch that is tested to work for all versions, that you can apply to WS without an upgrade.  This should be a low risk patch, and hopefully not to difficult to apply.  As people apply it, maybe they can share experiences.

 

https://spaces.internet2.edu/display/Grouper/Grouper+Bug+GRP-923+WS+getGrouperPrivilegesLite+can+return+more+data+than+the+user+should+be+able+to+see

 

https://bugs.internet2.edu/jira/browse/GRP-923

 

Sorry for the inconvenience.

 

Thanks,

Chris

 

From: [mailto:] On Behalf Of Tim Darby
Sent: Thursday, July 25, 2013 12:36 PM
To: Chris Hyzer
Subject: Re: [grouper-users] Question on get grouper privileges lite

 

Yes, that subjectid has admin rights.  Let me know if you want me to run any more tests.

Tim Darby
The University of Arizona
Mosaic, Systems Integration and Architecture

UITS, Rm 335, 520-626-3799

 

On Thu, Jul 25, 2013 at 9:34 AM, Chris Hyzer <> wrote:

Thanks for the example, that doesn’t look good.  Just curious, does the subjectid you pass in have admin rights on the group?  Not that it makes it any better, but just curious…

 

Thanks,

Chris

 

From: [mailto:] On Behalf Of Tim Darby
Sent: Thursday, July 25, 2013 12:24 PM
To: Chris Hyzer
Subject: Re: [grouper-users] Question on get grouper privileges lite

 

Here's the query:

 

https://test.grouper.arizona.edu/grouper-ws/servicesRest/xml/v2_1_004/grouperPrivileges?wsLiteObjectType=WsRestGetGrouperPrivilegesLiteRequest&groupName=arizona.edu:dept:uits:adhoc:mosaic:sa:sa-tech-team

 

I removed all privileges for GrouperAll on this group and authenticated to grouper-ws with a user who only has "view" privileges on the group.  When I run the query I get:

 

<WsGetGrouperPrivilegesLiteResult>

<resultMetadata>

<resultCode>SUCCESS</resultCode>

<success>T</success>

</resultMetadata>

<responseMetadata>

<resultWarnings/>

<millis>42</millis>

<serverVersion>2.1.4</serverVersion>

</responseMetadata>

</WsGetGrouperPrivilegesLiteResult>

 

Which makes sense, because I assume that you need admin rights to get the privileges on a group, right?

 

But then if do this query:

 

https://test.grouper.arizona.edu/grouper-ws/servicesRest/xml/v2_1_004/grouperPrivileges?wsLiteObjectType=WsRestGetGrouperPrivilegesLiteRequest&subjectId=119xxx&groupName=arizona.edu:dept:uits:adhoc:mosaic:sa:sa-tech-team

 

I get this:

 

<WsGetGrouperPrivilegesLiteResult>

<resultMetadata>

<resultCode>SUCCESS</resultCode>

<success>T</success>

</resultMetadata>

<privilegeResults>

<WsGrouperPrivilegeResult>

<allowed>T</allowed>

<ownerSubject>

<resultCode>SUCCESS</resultCode>

<success>T</success>

<id>119xxx</id>

<name>Brett L Bendickson</name>

<sourceId>ldap</sourceId>

</ownerSubject>

<privilegeName>admin</privilegeName>

<privilegeType>access</privilegeType>

<revokable>T</revokable>

<wsGroup>

<extension>sa-tech-team</extension>

<typeOfGroup>group</typeOfGroup>

<displayExtension>SA-Tech-Team</displayExtension>

<description>SA Tech Team</description>

<displayName>

University of Arizona:Dept:UITS:Adhoc:Mosaic:SA:SA-Tech-Team

</displayName>

<name>arizona.edu:dept:uits:adhoc:mosaic:sa:sa-tech-team</name>

<uuid>6c4f46613faa424586aa8feecbf7e9fb</uuid>

</wsGroup>

<wsSubject>

<resultCode>SUCCESS</resultCode>

<success>T</success>

<id>119xxx</id>

<name>Brett L Bendickson</name>

<sourceId>ldap</sourceId>

</wsSubject>

</WsGrouperPrivilegeResult>

</privilegeResults>

<responseMetadata>

<resultWarnings/>

<millis>277</millis>

<serverVersion>2.1.4</serverVersion>

</responseMetadata>

</WsGetGrouperPrivilegesLiteResult>

Tim Darby
The University of Arizona
Mosaic, Systems Integration and Architecture

UITS, Rm 335, 520-626-3799

 

On Wed, Jul 24, 2013 at 6:21 PM, Chris Hyzer <> wrote:

Can you give example requests/responses that shows the problem?  Also let me know what privileges are assigned to GrouperAll if any on the applicable objects.

 

Thanks

Chris

 

From: [mailto:] On Behalf Of Tim Darby
Sent: Wednesday, July 24, 2013 7:24 PM
To:
Subject: [grouper-users] Question on get grouper privileges lite

 

I've just started using the REST interface and I'm confused about permissions.  For example, with the get grouper privileges lite interface, if I'm authenticated as an unprivileged user (and not using actAs) and I specify the groupName only in the request, I get back no results.  It seems that my user has to have "admin" on that group to get anything back.  However, if I do the same query but also specify a subjectId that is an admin of that group, then I get back all the privileges of that subject on the group.  Is that the way it's supposed to work?

Tim Darby
The University of Arizona
Mosaic, Systems Integration and Architecture

UITS, Rm 335, 520-626-3799