Issue #3474: gpg_cmd configuration option should not be accepted in repo config or overrides - RPM Support - Pulp

Agile board
Agile charts

Agile boards

Pulp 2 QE Agile Board
Pulp 2 QE Agile Board - Priority View
Pulp 3 QE Agile Board
Pulp 3 RPM Tests Agile Board
Sprint 112 Agile Board

Custom queries

[All Projects] All Test Trackers
2.21.4 - Next Bugfix Release
2.21.4 MODIFIED
2.21.5
3.14.3
Easy Fix
FIPS open
Functional Tests
Galaxy NG
Groomed
Issues for Triage
Katello Integration
Next Docs Day
POST/ASSIGNED - no Sprint - Pulp2
POST/ASSIGNED - no Sprint - Pulp3
Prioritized Bugs
Pulp 3 Docs issues
Pulp 3 Tests
Pulp RPM 3.x blockers
Pulp RPM Priority items
Pulp2 issues available for next release
SELinux related
Sprint 111
Sprint 112
Sprint Candidates (also groomed)
Un-Triaged Bugs
Verification Required

Actions

Send by e-mail Copy link

Issue #3474

closed

gpg_cmd configuration option should not be accepted in repo config or overrides

Added by mihai.ibanescu@gmail.com over 6 years ago. Updated over 5 years ago.

Status:

CLOSED - CURRENTRELEASE

Priority:

Normal

Assignee:

Sprint/Milestone:

Start date:

Due date:

Estimated time:

Severity:

2. Medium

Version:

Platform Release:

2.16.0

OS:

Triaged:

Yes

Groomed:

Sprint Candidate:

Tags:

Pulp 2

Sprint:

Quarter:

Description

As a user, I can specify a gpg_cmd option in the plugin's distributor config, which will override the plugin config.

This has security implications, since it allows a potentially malicious user to execute commands remotely on the pulp server as user apache.

The fix is not entirely straightforward. I think one would want a per-config-type allowed options.

Related issues

Copied to Debian Support - Issue #3498: gpg_cmd configuration option should not be accepted in repo config or overrides

CLOSED - CURRENTRELEASE

Actions

Issue # Delay: days Cancel

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by dalley over 6 years ago

Triaged changed from No to Yes

Actions

Copy link

Updated by dkliban@redhat.com over 6 years ago

This affects 2.16.0 which will be in Beta next week. We should fix this issue before it goes GA.

Actions

Copy link

Updated by mihai.ibanescu@gmail.com over 6 years ago

Possible patch (to be tested):

diff --git a/plugins/pulp_rpm/plugins/distributors/yum/configuration.py b/plugins/pulp_rpm/plugins/distributors/yum/configuration.py
index 45a8b191..648b8058 100644
--- a/plugins/pulp_rpm/plugins/distributors/yum/configuration.py
+++ b/plugins/pulp_rpm/plugins/distributors/yum/configuration.py
@@ -27,6 +27,8 @@ OPTIONAL_CONFIG_KEYS = ('gpgkey', 'auth_ca', 'auth_cert', 'https_ca', 'checksum_
                         'remove_old_repodata', 'remove_old_repodata_threshold',
                         GPG_CMD, GPG_KEY_ID)

+LOCAL_CONFIG_KEYS = [GPG_CMD]
+
 ROOT_PUBLISH_DIR = '/var/lib/pulp/published/yum'
 MASTER_PUBLISH_DIR = os.path.join(ROOT_PUBLISH_DIR, 'master')
 HTTP_PUBLISH_DIR = os.path.join(ROOT_PUBLISH_DIR, 'http', 'repos')
@@ -71,9 +73,17 @@ def validate_config(repo, config, config_conduit):
     :return: tuple of (bool, str) stating that the configuration is valid or not and why
     :rtype:  tuple of (bool, str or None)
     """
+    error_messages = []
+    msg = _('Configuration key [%(k)s] is not allowed in %(config)s configuration')
+    remote_configs = [
+        (config.repo_plugin_config, "repository plugin"),
+        (config.override_config, "override")]
+    for key in LOCAL_CONFIG_KEYS:
+        for cfgdict, cfgname in remote_configs:
+            if cfgdict.get(key):
+                error_messages.append(msg % dict(k=key, config=cfgname))

     config = config.flatten()  # squish it into a dictionary so we can manipulate it
-    error_messages = []

     configured_keys = set(config)
     required_keys = set(REQUIRED_CONFIG_KEYS)

But let me know if you spot something before I get to do the testing.

Actions

Copy link

Updated by mihai.ibanescu@gmail.com over 6 years ago

Status changed from NEW to POST

PR: https://github.com/pulp/pulp_rpm/pull/1098

Actions

Copy link

Updated by mihai.ibanescu@gmail.com over 6 years ago

Copied to Issue #3498: gpg_cmd configuration option should not be accepted in repo config or overrides added

Added by Mihai Ibanescu over 6 years ago

Revision f351ff72 | View on GitHub

gpg_cmd is not allowed as plugin or override configuration

Since the command configured with gpg_cmd executes remotely as user apache, a user should not be allowed to change it via a distributor config or an override at publish time.

Fixes #3474 https://pulp.plan.io/issues/3474

Actions

Copy link

Updated by Anonymous over 6 years ago

Status changed from POST to MODIFIED

Applied in changeset f351ff7240f8bf9b184f40a5e6896dd7e485a3a7.

Actions

Copy link

Updated by bmbouter over 6 years ago

Platform Release set to 2.16.0

This one fix is to be included in 2.16.0 Beta 1.

Added by Mihai Ibanescu over 6 years ago

Revision 7b6f0f6f | View on GitHub

gpg_cmd is not allowed as plugin or override configuration

Since the command configured with gpg_cmd executes remotely as user apache, a user should not be allowed to change it via a distributor config or an override at publish time.

Fixes #3474 https://pulp.plan.io/issues/3474

(cherry picked from commit f351ff7240f8bf9b184f40a5e6896dd7e485a3a7)

Actions

Copy link