From f20dfcef63d3bb8617b22cf4c03cfda9c736a995 Mon Sep 17 00:00:00 2001 From: Philipp Schafft Date: Thu, 4 Oct 2018 09:00:26 +0000 Subject: [PATCH] Fix: SECURITY Do not handle admin-requests in listen-socket auth differently. This also adds comments to _handle_authentication_global() and _handle_authentication_mount_default() to explain the situation. --- src/connection.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/connection.c b/src/connection.c index 31d2d00d..a71333ce 100644 --- a/src/connection.c +++ b/src/connection.c @@ -1347,6 +1347,7 @@ static void _handle_authentication_global(client_t *client, void *userdata, auth client->authstack = NULL; if (result != AUTH_NOMATCH && + /* Allow global admins access to all mount points */ !(result == AUTH_OK && client->admin_command != ADMIN_COMMAND_ERROR && acl_test_admin(client->acl, client->admin_command) == ACL_POLICY_DENY)) { _handle_authed_client(client, userdata, result); return; @@ -1404,6 +1405,7 @@ static void _handle_authentication_mount_default(client_t *client, void *userdat client->authstack = NULL; if (result != AUTH_NOMATCH && + /* Allow global admins access to all mount points */ !(result == AUTH_OK && client->admin_command != ADMIN_COMMAND_ERROR && acl_test_admin(client->acl, client->admin_command) == ACL_POLICY_DENY)) { _handle_authed_client(client, userdata, result); return; @@ -1418,8 +1420,7 @@ static void _handle_authentication_mount_normal(client_t *client, void *userdata auth_stack_release(client->authstack); client->authstack = NULL; - if (result != AUTH_NOMATCH && - !(result == AUTH_OK && client->admin_command != ADMIN_COMMAND_ERROR && acl_test_admin(client->acl, client->admin_command) == ACL_POLICY_DENY)) { + if (result != AUTH_NOMATCH) { _handle_authed_client(client, userdata, result); return; }