Bug 17035 - Koha allows system-wide 'read' access to all Koha zebra databases, by default
to test bug...
1/ make a random user
2/ change to random user
3/ access any zebra database with random user and no authentication
4/ read zebra database
here is a transcript of the bug...
---------------------------
root@xen1:~# adduser bob
root@xen1:~# su -l bob
bob@xen1:~$ cd /var/lib/koha
bob@xen1:/var/lib/koha$ ls
topsecret
bob@xen1:/var/lib/koha$ yaz-client unix:/var/run/koha/topsecret/bibliosocket
Connecting...OK.
Sent initrequest.
Connection accepted by v3 target.
ID : 81
Name : Zebra Information Server/GFS/YAZ
Version: 4.2.30
98864b44c654645bc16b2c54f822dc2e45a93031
Options: search present delSet triggerResourceCtrl scan sort extendedServices namedResultSets
Elapsed: 0.001002
Z> base biblios;
Z> find the
Sent searchRequest.
Received SearchResponse.
Search was a success.
Number of hits: 1130, setno 2
SearchResult-1: term=the cnt=1130
records returned: 0
Elapsed: 0.005518
Z> show
Sent presentRequest (1+1).
Records: 1
[biblios]Record type: USmarc
01824cam
a2200397 a 4500
001
000045782309
003 AuCNLKIN
005
20111013213222.0
008 100707s2011 maua 001 0 e
...
---------------------------
5/ apply changes to a Koha instance's config files, that you plan to test
6/ restart zebra for instance
# sudo koha-restart-zebra topsecret
7/ repeat steps 2 and 3, but receive a 'bad user/passwd ' error from zebra
bob@xen1:~$ yaz-client unix:/var/run/koha/topsecret/bibliosocket
Connecting...OK.
Sent initrequest.
Connection rejected by v3 target.
1: code=1011 (Init/AC: Bad Userid and/or Password),
NOTE: this patch currently will only fixes newly created instances, it wont fix existing instances
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Good catch Mason
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
(cherry picked from commit
f2196a2e4f21a9a294c970a1ad067f5c3d1cb4eb)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
(cherry picked from commit
f3917fc8cb8c49bc85e7d371043cae8bd276063d)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>