Token scope escape issue


(DuĊĦan Baran) #1

Hello,
OpenNebula token handling mechanism does not check scoped token group. Here is an example: Users with scoped token for GID 0 can use this token to generate scoped token for GID 1.

We tried to fix this issue with PR https://github.com/OpenNebula/one/pull/1679, but unfortunately, this does not fix it.

We need to check whether users are logged in using scoped token. Looking into file src/rm/RequestManagerUser.cc we found that we could raise an error, if only we knew how was the user logged in and what GID is in his scoped token. However, after a few hours of surfing through OpenNebula code, we could not find a way to do it. Can anyone help us with this issue?

Thank you for your time,
Dusan Baran.