From f2196a2e4f21a9a294c970a1ad067f5c3d1cb4eb Mon Sep 17 00:00:00 2001 From: Mason James Date: Wed, 3 Aug 2016 16:32:00 +1200 Subject: [PATCH] Bug 17035 - Koha allows system-wide 'read' access to all Koha zebra databases, by default to test bug... 1/ make a random user 2/ change to random user 3/ access any zebra database with random user and no authentication 4/ read zebra database here is a transcript of the bug... --------------------------- root@xen1:~# adduser bob root@xen1:~# su -l bob bob@xen1:~$ cd /var/lib/koha bob@xen1:/var/lib/koha$ ls topsecret bob@xen1:/var/lib/koha$ yaz-client unix:/var/run/koha/topsecret/bibliosocket Connecting...OK. Sent initrequest. Connection accepted by v3 target. ID : 81 Name : Zebra Information Server/GFS/YAZ Version: 4.2.30 98864b44c654645bc16b2c54f822dc2e45a93031 Options: search present delSet triggerResourceCtrl scan sort extendedServices namedResultSets Elapsed: 0.001002 Z> base biblios; Z> find the Sent searchRequest. Received SearchResponse. Search was a success. Number of hits: 1130, setno 2 SearchResult-1: term=the cnt=1130 records returned: 0 Elapsed: 0.005518 Z> show Sent presentRequest (1+1). Records: 1 [biblios]Record type: USmarc 01824cam a2200397 a 4500 001 000045782309 003 AuCNLKIN 005 20111013213222.0 008 100707s2011 maua 001 0 e ... --------------------------- 5/ apply changes to a Koha instance's config files, that you plan to test 6/ restart zebra for instance # sudo koha-restart-zebra topsecret 7/ repeat steps 2 and 3, but receive a 'bad user/passwd ' error from zebra bob@xen1:~$ yaz-client unix:/var/run/koha/topsecret/bibliosocket Connecting...OK. Sent initrequest. Connection rejected by v3 target. 1: code=1011 (Init/AC: Bad Userid and/or Password), NOTE: this patch currently will only fixes newly created instances, it wont fix existing instances Signed-off-by: Chris Cormack Good catch Mason Signed-off-by: Jonathan Druart Signed-off-by: Brendan Gallagher --- etc/zebradb/zebra-authorities-dom.cfg | 2 +- etc/zebradb/zebra-authorities.cfg | 2 +- etc/zebradb/zebra-biblios-dom.cfg | 2 +- etc/zebradb/zebra-biblios.cfg | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/etc/zebradb/zebra-authorities-dom.cfg b/etc/zebradb/zebra-authorities-dom.cfg index f1608ec989..f3b267b4fe 100644 --- a/etc/zebradb/zebra-authorities-dom.cfg +++ b/etc/zebradb/zebra-authorities-dom.cfg @@ -33,7 +33,7 @@ storeData:1 # Lock File Area lockDir: __ZEBRA_LOCK_DIR__/authorities -perm.anonymous:ar +#perm.anonymous:ar perm.__ZEBRA_USER__:rw register: __ZEBRA_DATA_DIR__/authorities/register:20G shadow: __ZEBRA_DATA_DIR__/authorities/shadow:20G diff --git a/etc/zebradb/zebra-authorities.cfg b/etc/zebradb/zebra-authorities.cfg index b133e26d19..609aa29ac6 100644 --- a/etc/zebradb/zebra-authorities.cfg +++ b/etc/zebradb/zebra-authorities.cfg @@ -43,7 +43,7 @@ storeData:1 # Lock File Area lockDir: __ZEBRA_LOCK_DIR__/authorities -perm.anonymous:ar +#perm.anonymous:ar perm.__ZEBRA_USER__:rw passwd: __ZEBRA_CONF_DIR__/etc/passwd register: __ZEBRA_DATA_DIR__/authorities/register:20G diff --git a/etc/zebradb/zebra-biblios-dom.cfg b/etc/zebradb/zebra-biblios-dom.cfg index 731a73051e..76ed216990 100644 --- a/etc/zebradb/zebra-biblios-dom.cfg +++ b/etc/zebradb/zebra-biblios-dom.cfg @@ -33,7 +33,7 @@ facetNumRecs:1000 # Lock File Area lockDir: __ZEBRA_LOCK_DIR__/biblios -perm.anonymous:ar +#perm.anonymous:ar perm.__ZEBRA_USER__:rw passwd: __ZEBRA_CONF_DIR__/etc/passwd register: __ZEBRA_DATA_DIR__/biblios/register:20G diff --git a/etc/zebradb/zebra-biblios.cfg b/etc/zebradb/zebra-biblios.cfg index 26739bd213..2581ecf3e2 100644 --- a/etc/zebradb/zebra-biblios.cfg +++ b/etc/zebradb/zebra-biblios.cfg @@ -41,7 +41,7 @@ storeData:1 # Lock File Area lockDir: __ZEBRA_LOCK_DIR__/biblios -perm.anonymous:ar +#perm.anonymous:ar perm.__ZEBRA_USER__:rw passwd: __ZEBRA_CONF_DIR__/etc/passwd register: __ZEBRA_DATA_DIR__/biblios/register:20G -- 2.39.5