]> git.koha-community.org Git - koha.git/commit
Bug 17035 - Koha allows system-wide 'read' access to all Koha zebra databases, by...
authorMason James <mtj@kohaaloha.com>
Wed, 3 Aug 2016 04:32:00 +0000 (16:32 +1200)
committerJulian Maurice <julian.maurice@biblibre.com>
Mon, 24 Oct 2016 09:43:16 +0000 (11:43 +0200)
commit42e01bf600f04fb0aa1de7e88794b355897740a3
tree9da51845a1f360c1a18c705fee0a7a78dce17a6e
parentdb695c4aedbc6b9cb121dd7cacf9aa9e59180842
Bug 17035 - Koha allows system-wide 'read' access to all Koha zebra databases, by default

to test bug...
 1/ make a random user
 2/ change to random user
 3/ access any zebra database with random user and no authentication
 4/ read zebra database

here is a transcript of the bug...
---------------------------
root@xen1:~# adduser bob
root@xen1:~# su -l bob

bob@xen1:~$ cd /var/lib/koha
bob@xen1:/var/lib/koha$ ls
topsecret

bob@xen1:/var/lib/koha$ yaz-client  unix:/var/run/koha/topsecret/bibliosocket
Connecting...OK.
Sent initrequest.
Connection accepted by v3 target.
ID     : 81
Name   : Zebra Information Server/GFS/YAZ
Version: 4.2.30 98864b44c654645bc16b2c54f822dc2e45a93031
Options: search present delSet triggerResourceCtrl scan sort extendedServices namedResultSets
Elapsed: 0.001002

Z> base biblios;

Z> find the
Sent searchRequest.
Received SearchResponse.
Search was a success.
Number of hits: 1130, setno 2
SearchResult-1: term=the cnt=1130
records returned: 0
Elapsed: 0.005518

Z> show
Sent presentRequest (1+1).
Records: 1
[biblios]Record type: USmarc
01824cam a2200397 a 4500
001 000045782309
003 AuCNLKIN
005 20111013213222.0
008 100707s2011    maua          001 0 e
...
---------------------------

5/ apply changes to a Koha instance's config files, that you plan to test

6/ restart zebra for instance
 # sudo koha-restart-zebra topsecret

7/ repeat steps 2 and 3, but receive a 'bad user/passwd ' error from zebra

bob@xen1:~$ yaz-client unix:/var/run/koha/topsecret/bibliosocket
Connecting...OK.
Sent initrequest.
Connection rejected by v3 target.
    1: code=1011 (Init/AC: Bad Userid and/or Password),

NOTE: this patch currently will only fixes newly created instances, it wont fix existing instances
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Good catch Mason

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit f2196a2e4f21a9a294c970a1ad067f5c3d1cb4eb)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit f3917fc8cb8c49bc85e7d371043cae8bd276063d)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
etc/zebradb/zebra-authorities-dom.cfg
etc/zebradb/zebra-authorities.cfg
etc/zebradb/zebra-biblios-dom.cfg
etc/zebradb/zebra-biblios.cfg