grouper-dev - Re: [grouper-dev] Security alert in Grouper WS : RE: [grouper-users] Question on get grouper privileges lite
Subject: Grouper Developers Forum
List archive
Re: [grouper-dev] Security alert in Grouper WS : RE: [grouper-users] Question on get grouper privileges lite
Chronological Thread
- From: Tim Darby <>
- To: Chris Hyzer <>
- Cc: "" <>, Grouper Dev <>
- Subject: Re: [grouper-dev] Security alert in Grouper WS : RE: [grouper-users] Question on get grouper privileges lite
- Date: Mon, 29 Jul 2013 13:01:22 -0700
The University of Arizona
Mosaic, Systems Integration and Architecture
UITS, Rm 335, 520-626-3799
Tim has uncovered a security problem in Grouper WS. The issue allows unprivileged users to see grouper privileges on folders and for ADMIN users on groups. If you have this set in the grouper-ws.properties (or some other way to limit who has access to WS), it will limit the exposure:
This affects all versions of Grouper WS: 1.4, 1.5, 1.6, 2.0, 2.1. There is a patch that is tested to work for all versions, that you can apply to WS without an upgrade. This should be a low risk patch, and hopefully not to difficult to apply. As people apply it, maybe they can share experiences.
https://bugs.internet2.edu/jira/browse/GRP-923
Sorry for the inconvenience.
Thanks,
Chris
From: [mailto:] On Behalf Of Tim Darby
Sent: Thursday, July 25, 2013 12:36 PM
To: Chris Hyzer
Subject: Re: [grouper-users] Question on get grouper privileges lite
Yes, that subjectid has admin rights. Let me know if you want me to run any more tests.
Tim Darby
The University of Arizona
Mosaic, Systems Integration and Architecture
UITS, Rm 335, 520-626-3799
On Thu, Jul 25, 2013 at 9:34 AM, Chris Hyzer <> wrote:
Thanks for the example, that doesn’t look good. Just curious, does the subjectid you pass in have admin rights on the group? Not that it makes it any better, but just curious…
Thanks,
Chris
From: [mailto:] On Behalf Of Tim Darby
Sent: Thursday, July 25, 2013 12:24 PM
To: Chris Hyzer
Subject: Re: [grouper-users] Question on get grouper privileges lite
Here's the query:
I removed all privileges for GrouperAll on this group and authenticated to grouper-ws with a user who only has "view" privileges on the group. When I run the query I get:
<WsGetGrouperPrivilegesLiteResult>
<resultMetadata>
<resultCode>SUCCESS</resultCode>
<success>T</success>
</resultMetadata>
<responseMetadata>
<resultWarnings/>
<millis>42</millis>
<serverVersion>2.1.4</serverVersion>
</responseMetadata>
</WsGetGrouperPrivilegesLiteResult>
Which makes sense, because I assume that you need admin rights to get the privileges on a group, right?
But then if do this query:
I get this:
<WsGetGrouperPrivilegesLiteResult>
<resultMetadata>
<resultCode>SUCCESS</resultCode>
<success>T</success>
</resultMetadata>
<privilegeResults>
<WsGrouperPrivilegeResult>
<allowed>T</allowed>
<ownerSubject>
<resultCode>SUCCESS</resultCode>
<success>T</success>
<id>119xxx</id>
<name>Brett L Bendickson</name>
<sourceId>ldap</sourceId>
</ownerSubject>
<privilegeName>admin</privilegeName>
<privilegeType>access</privilegeType>
<revokable>T</revokable>
<wsGroup>
<extension>sa-tech-team</extension>
<typeOfGroup>group</typeOfGroup>
<displayExtension>SA-Tech-Team</displayExtension>
<description>SA Tech Team</description>
<displayName>
University of Arizona:Dept:UITS:Adhoc:Mosaic:SA:SA-Tech-Team
</displayName>
<name>arizona.edu:dept:uits:adhoc:mosaic:sa:sa-tech-team</name>
<uuid>6c4f46613faa424586aa8feecbf7e9fb</uuid>
</wsGroup>
<wsSubject>
<resultCode>SUCCESS</resultCode>
<success>T</success>
<id>119xxx</id>
<name>Brett L Bendickson</name>
<sourceId>ldap</sourceId>
</wsSubject>
</WsGrouperPrivilegeResult>
</privilegeResults>
<responseMetadata>
<resultWarnings/>
<millis>277</millis>
<serverVersion>2.1.4</serverVersion>
</responseMetadata>
</WsGetGrouperPrivilegesLiteResult>
Tim Darby
The University of Arizona
Mosaic, Systems Integration and Architecture
UITS, Rm 335, 520-626-3799
On Wed, Jul 24, 2013 at 6:21 PM, Chris Hyzer <> wrote:
Can you give example requests/responses that shows the problem? Also let me know what privileges are assigned to GrouperAll if any on the applicable objects.
Thanks
Chris
From: [mailto:] On Behalf Of Tim Darby
Sent: Wednesday, July 24, 2013 7:24 PM
To:
Subject: [grouper-users] Question on get grouper privileges lite
I've just started using the REST interface and I'm confused about permissions. For example, with the get grouper privileges lite interface, if I'm authenticated as an unprivileged user (and not using actAs) and I specify the groupName only in the request, I get back no results. It seems that my user has to have "admin" on that group to get anything back. However, if I do the same query but also specify a subjectId that is an admin of that group, then I get back all the privileges of that subject on the group. Is that the way it's supposed to work?
Tim Darby
The University of Arizona
Mosaic, Systems Integration and Architecture
UITS, Rm 335, 520-626-3799
- [grouper-dev] Security alert in Grouper WS : RE: [grouper-users] Question on get grouper privileges lite, Chris Hyzer, 07/28/2013
- Re: [grouper-dev] Security alert in Grouper WS : RE: [grouper-users] Question on get grouper privileges lite, Tim Darby, 07/29/2013
Archive powered by MHonArc 2.6.16.