grouper-dev - [grouper-dev] Security alert in Grouper WS : RE: [grouper-users] Question on get grouper privileges lite
Subject: Grouper Developers Forum
List archive
[grouper-dev] Security alert in Grouper WS : RE: [grouper-users] Question on get grouper privileges lite
Chronological Thread
- From: Chris Hyzer <>
- To: Tim Darby <>
- Cc: "" <>, Grouper Dev <>
- Subject: [grouper-dev] Security alert in Grouper WS : RE: [grouper-users] Question on get grouper privileges lite
- Date: Sun, 28 Jul 2013 23:30:10 +0000
- Accept-language: en-US
Tim has uncovered a security problem in Grouper WS. The issue allows unprivileged users to see grouper privileges on folders and for ADMIN users on groups.
If you have this set in the grouper-ws.properties (or some other way to limit who has access to WS), it will limit the exposure: ws.client.user.group.name
This affects all versions of Grouper WS: 1.4, 1.5, 1.6, 2.0, 2.1. There is a patch that is tested to work for all versions, that you can apply to WS without
an upgrade. This should be a low risk patch, and hopefully not to difficult to apply. As people apply it, maybe they can share experiences. https://bugs.internet2.edu/jira/browse/GRP-923 Sorry for the inconvenience. Thanks, Chris From: [mailto:]
On Behalf Of Tim Darby Yes, that subjectid has admin rights. Let me know if you want me to run any more tests.
Tim Darby On Thu, Jul 25, 2013 at 9:34 AM, Chris Hyzer <> wrote: Thanks for the example, that doesn’t look good. Just curious, does the subjectid you pass in have
admin rights on the group? Not that it makes it any better, but just curious… Thanks, Chris From:
[mailto:]
On Behalf Of Tim Darby Here's the query: I removed all privileges for GrouperAll on this group and authenticated to grouper-ws with a user who only has "view" privileges
on the group. When I run the query I get: <WsGetGrouperPrivilegesLiteResult> <resultMetadata> <resultCode>SUCCESS</resultCode> <success>T</success> </resultMetadata> <responseMetadata> <resultWarnings/> <millis>42</millis> <serverVersion>2.1.4</serverVersion> </responseMetadata> </WsGetGrouperPrivilegesLiteResult> Which makes sense, because I assume that you need admin rights to get the privileges on a group, right? But then if do this query: I get this: <WsGetGrouperPrivilegesLiteResult> <resultMetadata> <resultCode>SUCCESS</resultCode> <success>T</success> </resultMetadata> <privilegeResults> <WsGrouperPrivilegeResult> <allowed>T</allowed> <ownerSubject> <resultCode>SUCCESS</resultCode> <success>T</success> <id>119xxx</id> <name>Brett L Bendickson</name> <sourceId>ldap</sourceId> </ownerSubject> <privilegeName>admin</privilegeName> <privilegeType>access</privilegeType> <revokable>T</revokable> <wsGroup> <extension>sa-tech-team</extension> <typeOfGroup>group</typeOfGroup> <displayExtension>SA-Tech-Team</displayExtension> <description>SA Tech Team</description> <displayName> University of Arizona:Dept:UITS:Adhoc:Mosaic:SA:SA-Tech-Team </displayName> <name>arizona.edu:dept:uits:adhoc:mosaic:sa:sa-tech-team</name> <uuid>6c4f46613faa424586aa8feecbf7e9fb</uuid> </wsGroup> <wsSubject> <resultCode>SUCCESS</resultCode> <success>T</success> <id>119xxx</id> <name>Brett L Bendickson</name> <sourceId>ldap</sourceId> </wsSubject> </WsGrouperPrivilegeResult> </privilegeResults> <responseMetadata> <resultWarnings/> <millis>277</millis> <serverVersion>2.1.4</serverVersion> </responseMetadata> </WsGetGrouperPrivilegesLiteResult>
Tim Darby On Wed, Jul 24, 2013 at 6:21 PM, Chris Hyzer <> wrote: Can you give example requests/responses that shows the problem? Also let me know what privileges
are assigned to GrouperAll if any on the applicable objects. Thanks Chris From:
[mailto:]
On Behalf Of Tim Darby I've just started using the REST interface and I'm confused about permissions. For example, with the get grouper privileges
lite interface, if I'm authenticated as an unprivileged user (and not using actAs) and I specify the groupName only in the request, I get back no results. It seems that my user has to have "admin" on that group to get anything back. However, if I do the
same query but also specify a subjectId that is an admin of that group, then I get back all the privileges of that subject on the group. Is that the way it's supposed to work?
Tim Darby |
- [grouper-dev] Security alert in Grouper WS : RE: [grouper-users] Question on get grouper privileges lite, Chris Hyzer, 07/28/2013
Archive powered by MHonArc 2.6.16.