X2Go Bug report logs - #1234
acl-users-allow=ALL superceeds acl-users-deny

version graph

Package: x2gobroker; Maintainer for x2gobroker is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2gobroker is src:x2gobroker.

Reported by: Walid MOGHRABI <w.moghrabi@servicemagic.eu>

Date: Tue, 21 Nov 2017 17:30:02 UTC

Severity: normal

Tags: patch, pending

Fixed in version 0.0.4.0

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#1234; Package x2gobroker. (Tue, 21 Nov 2017 17:30:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Walid MOGHRABI <w.moghrabi@servicemagic.eu>:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Tue, 21 Nov 2017 17:30:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.x2go.org (full text, mbox):

From: Walid MOGHRABI <w.moghrabi@servicemagic.eu>
To: submit@bugs.x2go.org
Subject: acl-users-allow=ALL superceeds acl-users-deny
Date: Tue, 21 Nov 2017 18:23:32 +0100 (CET)
[Message part 1 (text/plain, inline)]
package: x2gobroker
priority: normal
tags: patch

When using ACLs with the session broker, I wanted to give access to a session setting to ALL users EXCEPT some (namely "formation{1..9}").
I tried this but it didn't work :

=================================================
[TRAVAUX]
fullscreen=true
clipboard=none
name=TRAVAUX
host=tce-server (10.10.10.1)
acl-users-allow=ALL
acl-users-deny=formation1, formation2, formation3, formation4, formation5, formation6, formation7, formation8, formation9
acl-any-order=deny-allow
=================================================

I played with many settings, changing order, using only the "acl-users-deny" option, ... none of them worked as expected.

I ended in thinking that there was a bug with acl-users-allow=ALL which was taking over any other setting.

I did a little fix that seem to work, at least for this use case.

Regards,
Walid Moghrabi

TRAVAUX.COM
BAT I - PARC CEZANNE 2 290 AVENUE GALILEE - CS 80403
13591 AIX EN PROVENCE CEDEX 3

---
DISCLAIMER: This e-mail is private and confidential and may contain proprietary or legally privileged information. It is for the intended recipient only. If you have received this email in error, please notify the author by replying to it and then destroy it. If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on this e-mail or any attachment. Thank you
[x2gobroker_acl-users-allow.patch (text/x-patch, attachment)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#1234; Package x2gobroker. (Sun, 26 Nov 2017 06:35:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mihai Moldovan <ionic@ionic.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Sun, 26 Nov 2017 06:35:01 GMT) Full text and rfc822 format available.

Message #10 received at 1234@bugs.x2go.org (full text, mbox):

From: Mihai Moldovan <ionic@ionic.de>
To: Walid MOGHRABI <w.moghrabi@servicemagic.eu>, 1234@bugs.x2go.org, mike.gabriel@sunweavers.net
Subject: Re: [X2Go-Dev] acl-users-allow=ALL superceeds acl-users-deny
Date: Sun, 26 Nov 2017 07:33:40 +0100
[Message part 1 (text/plain, inline)]
* On 11/21/2017 06:23 PM, Walid MOGHRABI wrote:
> When using ACLs with the session broker, I wanted to give access to a session setting to ALL users EXCEPT some (namely "formation{1..9}").
> I tried this but it didn't work :
> [...]

I really have no idea what the rules are supposed to be.

For users, the current rules are (simplified, the actual rules are longer but
also redundant):
  [allow-deny]: allow && !deny
  [deny-allow]: allow

(allow stands for "user explicitly listed in allow list", deny stands for "user
explicitly listed in deny list".)


This doesn't make sense to me.
For instance, a user not explicitly listed in the allowed list will be denied
access in deny-allow mode, while in allow-deny mode; a user that is explicitly
granted access will still be denied if it is listed in the denied list.


What was the original inspiration for this?


It's not Apache httpd, since that has different rules...


My naïve understanding of this would be that:
  [allow-deny]: allow user if explicitly mentioned in allowed list, otherwise
allow if not explicitly denied
  [deny-allow]: deny user if explicitly mentioned in denied list, otherwise allow

Examples for [allow-deny] ("..." denotes a list *not* containing user):
  allow = { user, ... }; deny = { user, ... } => ALLOW
  allow = { user, ... }; deny = { ... }       => ALLOW
  allow = { ... };       deny = { ... }       => ALLOW
  allow = { ... };       deny = { user, ...}  => DENY

Examples for [deny-allow] ("..." denotes a list *not* containing user):
  allow = { user, ... }; deny = { user, ... } => DENY
  allow = { user, ... }; deny = { ... }       => ALLOW
  allow = { ... };       deny = { ... }       => ALLOW
  allow = { ... };       deny = { user, ... } => DENY


This is useful because it allows access in the case a user is not a member of
any list (emulating the behavior of not using any ACL for a specific user) and
otherwise giving correct precedence to a specific list.


The current behavior is not explicitly documented either, but only "implicitly"
by code and tests, which makes it difficult to understand what is intended and
what isn't.

For instance, one test case explicitly mentions:

  [deny-allow] allow = { user }; deny = { ALL }; => ALLOW

which just doesn't make sense to me. If  all users are denied and the order is
deny-allow, why would the user be allowed, even if it's in the allow list? The
order isn't allow-deny, so if all users are denied with the deny-allow order,
the allow list shouldn't even come into play.



Mihai

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#1234; Package x2gobroker. (Mon, 12 Feb 2018 15:00:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Mon, 12 Feb 2018 15:00:02 GMT) Full text and rfc822 format available.

Message #15 received at 1234@bugs.x2go.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 1234-submitter@bugs.x2go.org
Cc: control@bugs.x2go.org, 1234@bugs.x2go.org
Subject: X2Go issue (in src:x2gobroker) has been marked as pending for release
Date: Mon, 12 Feb 2018 15:56:21 +0100 (CET)
tag #1234 pending
fixed #1234 0.0.4.0
thanks

Hello,

X2Go issue #1234 (src:x2gobroker) reported by you has been
fixed in X2Go Git. You can see the changelog below, and you can
check the diff of the fix at:

    http://code.x2go.org/gitweb?p=x2gobroker.git;a=commitdiff;h=75bc19e

The issue will most likely be fixed in src:x2gobroker (0.0.4.0).

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
commit 75bc19eea6433110733d53e4de23ab2703b19179
Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date:   Mon Feb 12 15:53:33 2018 +0100

    x2gobroker/brokers/base_broker.py: Entire rewrite of check_profile_acls() method. (Fixes: #1234).

diff --git a/debian/changelog b/debian/changelog
index 2d7940e..116897b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,8 @@ x2gobroker (0.0.4.0-0x2go1) UNRELEASED; urgency=medium
     - x2gobroker/basicauth.py: Fix call of base64.decodestring on Python3.
     - Unit tests: Fix deep misunderstanding in the way allow-deny vs.
       deny-allow should actually work.
+    - x2gobroker/brokers/base_broker.py: Entire rewrite of
+      check_profile_acls() method. (Fixes: #1234).
   * debian/{control,compat}: Bump to DH version level 9.
   * debian/{control,x2gobroker-common.install}:
     + Split out common files into non-Pythonian bin:pkg.


Added tag(s) pending. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Mon, 12 Feb 2018 15:00:02 GMT) Full text and rfc822 format available.

Marked as fixed in versions 0.0.4.0. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Mon, 12 Feb 2018 15:00:02 GMT) Full text and rfc822 format available.

Message sent on to Walid MOGHRABI <w.moghrabi@servicemagic.eu>:
Bug#1234. (Mon, 12 Feb 2018 15:00:02 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Wed Dec 12 03:03:37 2018; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.