[users at bb.net] Restrict user access to /json and other magic urls

Pierre Tardy tardyp at gmail.com
Fri Aug 19 10:10:16 UTC 2016 

Hi Narunas,

The security schemes implemented in buildbot was mainly done to prevent
users to do some restricted actions on the bot.

I was not aware of the view restriction functionality in buildbot eight.
Indeed it looks like to very well implemented if the json api is not
accounting for this restriction.

You can in theory configure read restrictions in buildbot nine, however
this is not supported by the UI, and might give you strange results.

Pierre

Le ven. 19 août 2016 à 11:57, Narunas Krasauskas <narun4sk at gmail.com> a
écrit :

> Hi bb-users,
>
> At present I'm exploring Buildbot version 0.8.14, which I have installed
> via pip.
>
> After reading:
> http://docs.buildbot.net/current/manual/cfg-statustargets.html?highlight=authz#webstatus-configuration-parameters
>
> I ended with the following config:
>
> auth_usr = auth.BasicAuth([('usr', 'pwd')])
>
> authz_cfg=authz.Authz(
>     auth=auth_usr,
>     view = 'auth',
>     forceBuild = 'auth',
>     forceAllBuilds = False,
>     pingBuilder = False,
>     gracefulShutdown = False,
>     pauseSlave = 'auth',
>     stopBuild = 'auth',
>     stopAllBuilds = False,
>     cancelPendingBuild = 'auth',
>     cancelAllPendingBuilds = False,
>     stopChange = 'auth',
>     cleanShutdown = True,
>     showUsersPage = False,
> )
>
> c['status'].append(
>     html.WebStatus(
>         http_port='tcp:8010:interface=46.101.x.x',
>         authz=authz_cfg,
>         change_hook_auth=['file:changehook.passwd'],
>         change_hook_dialects={'gitlab': True},
>     )
> )
>
>
> Such config at a first glance work in a way you would expect it to and
> restrict user access to urls such as http://46.101.x.x:8010/builders.
>
> However if I specify URL in full:
> http://46.101.x.x:8010/builders/my-builder/builds/0/steps/git/logs/stdio
>
> I get full access to the details, regardless the fact that I'm logged off.
> Just to prove myself that I'm not insane and that I'm not experiencing some
> kind of browser cache issue I've tried to open that url in the different
> browser and it worked.
>
> Same applies to the /json. I don't have to be logged in to browse through
> developer emails, server IP addresses and ports, revision IDs and other
> vital information.
>
>
> Currently the only way I can think of to enhance security is to put
> Buildbot behind reverse proxy...
>
> Has security never been the main goal of the Buildbot, or have I just
> found a nasty bug?
>
>
> Thanks
>
> Narunas
>
> _______________________________________________
> users mailing list
> users at buildbot.net
> https://lists.buildbot.net/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.buildbot.net/pipermail/users/attachments/20160819/b90c1e9e/attachment.html>

More information about the users mailing list