No authentication for /unattended/provision templates

Support
1

I'm finding that there is no authentication needed when viewing
https://foreman-server/unattended/provision?hostname=HOSTNAME

I have ":login: true" in the foreman settings.yml file and user accounts
are setup to authenticate through LDAP. Looking at debug logs on the
Foreman server, I see the following:

When requesting the /unattended/provision file -

Started GET "/unattended/provision?hostname=some.host.name" for
10.10.10.112 at 2014-04-25 13:51:47 -0700
Processing by UnattendedController#provision as HTML
Parameters: {"hostname"=>"some.host.name"}
Host::Managed Load (2.3ms) SELECT hosts.* FROM hosts WHERE
hosts.type IN ('Host::Managed') AND hosts.ip IS NULL LIMIT 1
Host::Managed Load (1.3ms) SELECT hosts.* FROM hosts WHERE
hosts.type IN ('Host::Managed') AND hosts.name = 'some.host.name'
LIMIT 1
Operatingsystem Load (3.9ms) SELECT operatingsystems.* FROM
operatingsystems WHERE operatingsystems.id = 2 ORDER BY
operatingsystems.name LIMIT 1
Found some.host.name
Medium Load (1.0ms) SELECT media.* FROM media WHERE media.id = 7
ORDER BY media.name LIMIT 1
Architecture Load (0.9ms) SELECT architectures.* FROM architectures
WHERE architectures.id = 1 LIMIT 1
ConfigTemplate Load (3.9ms) SELECT config_templates.* FROM
config_templates INNER JOIN config_templates_operatingsystems ON
config_templates_operatingsystems.config_template_id =
config_templates.id INNER JOIN operatingsystems ON
operatingsystems.id =
config_templates_operatingsystems.operatingsystem_id INNER JOIN
template_kinds ON template_kinds.id =
config_templates.template_kind_id INNER JOIN template_combinations ON
template_combinations.config_template_id = config_templates.id
INNER JOIN environments ON environments.id =
template_combinations.environment_id WHERE operatingsystems.id = 2
AND template_kinds.name = 'provision' AND environments.id = 8 ORDER
BY config_templates.name LIMIT 1
ConfigTemplate Load (2.1ms) SELECT config_templates.* FROM
config_templates INNER JOIN config_templates_operatingsystems ON
config_templates_operatingsystems.config_template_id =
config_templates.id INNER JOIN operatingsystems ON
operatingsystems.id =
config_templates_operatingsystems.operatingsystem_id INNER JOIN
template_kinds ON template_kinds.id =
config_templates.template_kind_id INNER JOIN os_default_templates ON
os_default_templates.config_template_id = config_templates.id WHERE
operatingsystems.id = 2 AND template_kinds.name = 'provision' AND
os_default_templates.operatingsystem_id = 2 ORDER BY
config_templates.name LIMIT 1
rendering DB template Preseed Ubuntu - provision
ComputeResource Load (1.0ms) SELECT compute_resources.* FROM
compute_resources WHERE compute_resources.id = 1 ORDER BY
compute_resources.name LIMIT 1
Subnet Load (1.1ms) SELECT subnets.* FROM subnets WHERE
subnets.id = 3 ORDER BY vlanid LIMIT 1
Domain Load (0.9ms) SELECT domains.* FROM domains WHERE
domains.id = 1 ORDER BY domains.name LIMIT 1
Ptable Load (1.2ms) SELECT ptables.* FROM ptables WHERE
ptables.id = 2 ORDER BY ptables.name LIMIT 1
CommonParameter Load (1.0ms) SELECT parameters.* FROM parameters
WHERE parameters.type IN ('CommonParameter') ORDER BY parameters.name
Organization Load (0.9ms) SELECT taxonomies.* FROM taxonomies WHERE
taxonomies.type IN ('Organization') AND taxonomies.id = 18 LIMIT 1
OrganizationParameter Load (1.1ms) SELECT parameters.* FROM
parameters WHERE parameters.type IN ('OrganizationParameter') AND
parameters.reference_id = 18 ORDER BY parameters.name
Location Load (0.8ms) SELECT taxonomies.* FROM taxonomies WHERE
taxonomies.type IN ('Location') AND taxonomies.id = 1 LIMIT 1
LocationParameter Load (0.9ms) SELECT parameters.* FROM parameters
WHERE parameters.type IN ('LocationParameter') AND
parameters.reference_id = 1 ORDER BY parameters.name
DomainParameter Load (1.1ms) SELECT parameters.* FROM parameters
WHERE parameters.type IN ('DomainParameter') AND
parameters.reference_id = 1 ORDER BY parameters.name
OsParameter Load (0.9ms) SELECT parameters.* FROM parameters WHERE
parameters.type IN ('OsParameter') AND parameters.reference_id = 2
ORDER BY parameters.name
HostParameter Load (1.0ms) SELECT parameters.* FROM parameters WHERE
parameters.type IN ('HostParameter') AND parameters.reference_id =
767 ORDER BY parameters.name
(0.8ms) SELECT puppetclass_id FROM host_classes WHERE
host_classes.host_id = 767
LookupKey Load (0.6ms) SELECT lookup_keys.* FROM lookup_keys WHERE
lookup_keys.puppetclass_id IN (NULL) ORDER BY lookup_keys.key
CACHE (0.0ms) SELECT parameters.* FROM parameters WHERE
parameters.type IN ('CommonParameter') ORDER BY parameters.name
CACHE (0.0ms) SELECT puppetclass_id FROM host_classes WHERE
host_classes.host_id = 767
CACHE (0.0ms) SELECT lookup_keys.* FROM lookup_keys WHERE
lookup_keys.puppetclass_id IN (NULL) ORDER BY lookup_keys.key
Token Load (1.1ms) SELECT tokens.* FROM tokens WHERE
tokens.host_id = 767 LIMIT 1
Rendered inline template (57.4ms)
Completed 200 OK in 92ms (Views: 43.9ms | ActiveRecord: 29.9ms)

Other page functioning normal:

Started PUT "/settings/46" for 10.10.10.112 at 2014-04-25 13:48:27 -0700
Processing by SettingsController#update as JSON
Parameters: {"setting"=>{"value"=>"[FILTERED]"}, "id"=>"46",
"authenticity_token"=>""Hq3JajIWLQWOCOgpxGF+BGXKCIlijlijjkQUNiTYWFI=""}
User Load (1.8ms) SELECT users.* FROM users WHERE users.id = 2
LIMIT 1
Setting current user thread-local variable to someuser
(0.7ms) SELECT COUNT() FROM taxonomies WHERE taxonomies.type IN
('Organization')
Setting current organization thread-local variable to none
(0.6ms) SELECT COUNT() FROM taxonomies WHERE taxonomies.type IN
('Location')
Setting current location thread-local variable to none
(1.0ms) SELECT id FROM taxonomies WHERE taxonomies.type IN
('Location') LIMIT 1
(0.6ms) SELECT id FROM taxonomies WHERE taxonomies.type IN
('Organization') LIMIT 1
Setting Load (1.1ms) SELECT settings.* FROM settings WHERE
settings.id = 46 ORDER BY name LIMIT 1
(0.4ms) BEGIN
Setting Exists (0.7ms) SELECT 1 AS one FROM settings WHERE
(settings.name = BINARY 'token_duration' AND settings.id != 46)
LIMIT 1
removing token_duration from cache
CACHE (0.0ms) SELECT settings.* FROM settings WHERE settings.id
= 46 ORDER BY name LIMIT 1
(0.8ms) SELECT MAX(audits.version) AS max_id FROM audits WHERE
audits.auditable_id = 46 AND audits.auditable_type = 'Setting'
SQL (0.7ms) INSERT INTO audits (action, associated_id,
associated_name, associated_type, auditable_id, auditable_name,
auditable_type, audited_changes, comment, created_at,
remote_address, user_id, user_type, username, version) VALUES
('update', NULL, NULL, NULL, 46, 'token_duration', 'Setting',
'—\nvalue:\n- ! '— 0\n\n …\n\n'\n- \n', NULL, '2014-04-25
20:48:27', '10.10.10.112', NULL, NULL, 'Some User', 2)
(0.9ms) UPDATE settings SET value = NULL, updated_at =
'2014-04-25 20:48:27' WHERE settings.category IN
('Setting::Provisioning') AND settings.id = 46
(9.6ms) COMMIT
Completed 200 OK in 52ms (Views: 2.7ms | ActiveRecord: 18.8ms)

It seems like it just skips the "Setting current user thread-local variable
to someuser" line for the /unattended/provision page. This seems like a
bug to me so I'll file a bug report unless I'm overlooking something.

2

That’s sort of intentional, since those URL’s are used for things that need to happen without
user intervention.

However, in most provisioning scenarios, the host will generally use a token to get their template.
If tokens are enabled, then URLs without should probably require authentication I guess.

··· On 25 Apr 2014, at 23:04, Dylan Charleston wrote: > > It seems like it just skips the "Setting current user thread-local variable to someuser" line for the /unattended/provision page. This seems like a bug to me so I'll file a bug report unless I'm overlooking something.


Stephen Benjamin
stephen@bitbin.de

3

Thanks for your reply Stephen,

https://foreman-server/unattended/provision?spoof=HOSTNAME requires
authentication and expires once the machine is built so it doesn't seem
logical to not secure
https://foreman-server/unattended/provision?hostname=HOSTNAME

4

+1 this has surprised my site as well. There is information in our default templates that we consider proprietary.

··· > On Apr 25, 2014, at 3:01 PM, Dylan Charleston wrote: > > Thanks for your reply Stephen, > > https://foreman-server/unattended/provision?spoof=HOSTNAME requires authentication and expires once the machine is built so it doesn't seem logical to not secure https://foreman-server/unattended/provision?hostname=HOSTNAME > > > -- > You received this message because you are subscribed to the Google Groups "Foreman users" group. > To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com. > To post to this group, send email to foreman-users@googlegroups.com. > Visit this group at http://groups.google.com/group/foreman-users. > For more options, visit https://groups.google.com/d/optout.
5

this is a bug [1] - currently private as we do with all security related bugs.

In the future, please do not discuss security related issues on the
public mailing list, instead follow the guidelines at [2]

Ohad

[1] Bug #5436: CVE-2014-0192 - provisioning templates are world accessible - Foreman
[2] Foreman :: Security

··· On Sat, Apr 26, 2014 at 1:24 AM, Aaron Stone wrote: > +1 this has surprised my site as well. There is information in our default > templates that we consider proprietary.
6

> In the future, please do not discuss security related issues on the
> public mailing list, instead follow the guidelines at [2]

I think google groups has an option to add header text when making new
post via their UI. Can we add this there?

··· -- Later,

Lukas “lzap” Zapletal
irc: lzap #theforeman