shell: proctable service is open to any user #2876
Assignees
Comments
|
Makes sense! |
trws
pushed a commit
to trws/flux-core
that referenced
this issue
Mar 30, 2020
Problem: Shell services registered by flux_shell_service_register() are "open to all" by default, and require a call to shell_svc_allowed() in each msg handler in order to secure the service against multi-user access. However, this design requires repetitive calls in every service message handler, and makes it more likely that plugins install insecure services when this call is forgotten. Furthermore, shell_svc_allowed() is not even exported publicly in the shell.h API, so it is impossible to create secure services via external shell plugins. Internally wrap all message handlers installed by shell_svc_register() and call shell_svc_allowed() so that all services are secure by default. If a use case ever arises that requires multiuser access to a shell service, then a separate api call can be created to export an insecure service, so that the security of the service is explicit. Fixes flux-framework#2876
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
oops, the shell
.proctableservice doesn't protect against access by a different user.Shell services must call
shell_svc_allowed()to check if the requestor has the OWNER role or matches the shell's uid. However,shell_svc_allowed()isn't even exported via the publicshell.hAPI, so there is currently no way to secure shell services provided by external plugins.In general, it probably isn't good security practice to make services "open" by default. I can't really think of a current use case where a shell service would need to be accessed by a user other than the shell owner, so perhaps the fix here is to make shell services secure by default. We could later add a method to force the service open to all users when that becomes necessary.
The text was updated successfully, but these errors were encountered: