remote: enforce ACL write permission for getting guest time & hostname

Getting the guest time and hostname both require use of guest agent commands. These must not be allowed for read-only users, so the permissions check must validate "write" permission not "read". Fixes CVE-2019-3886 Reviewed-by: N Jim Fehlig <jfehlig@suse.com> Signed-off-by: N Daniel P. Berrangé <berrange@redhat.com>

remote: enforce ACL write permission for getting guest time & hostname
Getting the guest time and hostname both require use of guest agent commands. These must not be allowed for read-only users, so the permissions check must validate "write" permission not "read". Fixes CVE-2019-3886 Reviewed-by: N Jim Fehlig <jfehlig@suse.com> Signed-off-by: N Daniel P. Berrangé <berrange@redhat.com>
ae076bb4 · Daniel P. Berrangé · 2a07c990 · ae076bb4
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

src/remote/remote_protocol.x src/remote/remote_protocol.x +2 -2

未找到文件。
--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
@@ -5513,7 +5513,7 @@ enum remote_procedure {

    /**
     * @generate: both
-     * @acl: domain:read
+     * @acl: domain:write
     */
    REMOTE_PROC_DOMAIN_GET_HOSTNAME = 277,

@@ -5908,7 +5908,7 @@ enum remote_procedure {

    /**
     * @generate: none
-     * @acl: domain:read
+     * @acl: domain:write
     */
    REMOTE_PROC_DOMAIN_GET_TIME = 337,