Software Development Kit (SDK) and API Discussions

HOSTS authentication problem

shalondwood
9,516 Views

I'm trying to use host-based authentication (h

osts.equiv), but it's failing. I get the error:

"User  does not have capability to invoke API quota-report."

 

If it's not clear, there are two spaces after 'User', as if it were printing a null username. Sure enough, from the log:

Tue Oct 27 11:44:14 CDT [near19: useradmin.unauthorized.user:warning]: User '' denied access - missing required capability: 'api-quota-report'

 

Am I missing something?

24 REPLIES 24

kcollins
3,027 Views

This most certainly IS a vulnerability!  ANY USER can claim to be root and run commands. That user clearly is NOT root, so it should not be authenticated!

The real user id should be passed through the SDK for this "fallback" authentication method and only allowed if the real user is allowed via hosts.equiv.

Thanks,

Kevin

kvishal
3,027 Views

A non root user cannot execute API with user input as root. The API will error out, if the user is not a root.

Something like this

Vishal Kulkarni

Member Technical Staff

SMAI

NetApp

080-41844244 Direct

9986500905 Mobile

vishal.kulkarni@netapp.com

www.netapp.com

kcollins
3,027 Views

A non root user *IS* running this and there is no error. I am using it right now as my own user with no issues:

cpafisc8-> id
uid=14665(cokm) gid=508(techteam) groups=506(tape),507(usradm),513(taxdart),666(security)

cpafisc8-> cat hello_ontapi.pl
#!/usr/bin/perl

my $VERSION = '1.0';    # Controls the SDK release.

use strict;

use lib '/util/bin/netapp/manage-ontap-sdk-3.5.1/lib/perl/NetApp';
use NaServer;
use Pod::Usage;

die pod2usage(
        verbose => 1
) unless $ARGV[0];

our $filer = $ARGV[0];

our $s = NaServer->new($filer, 1, 1);
$s->set_style("LOGIN");
$s->set_admin_user("root", "");

our $output = $s->invoke( "system-get-version" );
if ($output->results_errno != 0) {
        our $r = $output->results_reason();
        print "Failed: $r\n";
}
else {
        our $r = $output->child_get_string( "version" );

        print "$r\n";
}

cpafisc8-> ./hello_ontapi.pl cpafisnas2
NetApp Release 7.2.5.1: Wed Jun 25 08:55:16 PDT 2008

Thanks,

Kevin

craig_cowen
3,026 Views

I realize this might be old news to some but, testing on a SIM version 8.0.1, setting the options httpd.admin.hostsequiv.enable to on solved this for me.

Public