opendev/gerrit
Code Issues Proposed changes

Close security hole allowing normal user to become admin

Browse Source 
Icc105c39e introduced severe security problem, allowing non admin
users that was granted modifyAccount capability to modify SSH keys
of all users, including administrators. But that means such a user
can change the authentication of an existing administrator and then
impersonate the admin to elevate their own account status to that
of an admin.

Rectify it but restricting changing of SSH keys for a user only to
members of administrators group.

Change-Id: If82965391369121b282b969e7072a2bfa3074be9
This commit is contained in:
David Ostrovsky
2014-08-22 08:20:59 +02:00
committed by David Ostrovsky
parent cf9bce2191
commit c055d46280
4 changed files with 17 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/SetAccountCommand.java
View File

@@ -18,6 +18,7 @@ import com.google.common.base.Strings;
import com.google.gerrit.common.data.GlobalCapability;
import com.google.gerrit.common.errors.EmailException;
import com.google.gerrit.extensions.annotations.RequiresCapability;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.extensions.restapi.RawInput;
import com.google.gerrit.extensions.restapi.ResourceNotFoundException;
import com.google.gerrit.extensions.restapi.RestApiException;
@@ -260,7 +261,7 @@ final class SetAccountCommand extends SshCommand {
}
}
private void deleteSshKey(SshKeyInfo i) throws OrmException {
private void deleteSshKey(SshKeyInfo i) throws AuthException, OrmException {
AccountSshKey sshKey = new AccountSshKey(
new AccountSshKey.Id(user.getAccountId(), i.seq), i.sshPublicKey);
deleteSshKey.apply(