Hello Narrotam,
Authorization isn't enforced at the LMI level unless you're using Management Authorization:
https://www.ibm.com/docs/en/sva/10.0.4?topic=settings-managing-roles-users-groupsRegardless, the LMI Authorization is totally decoupled from the 'pdadmin' authorization, which relies on ACLs.
The pdadmin authorization is determined by the value used for 'user_id' in the pdadmin command line.
Furthermore, the default effective ACL on the '/Management/Users' endpoint allows any authenticated user to Traverse and view the Users endpoint:
pdadmin sec_master> object show /Management/Users
Name: /Management/Users
Description: Delegated user administration root.
Type: 0 (Unknown)
Is Policy Attachable: Yes
Extended Attributes:
Attached ACL:
Attached POP:
Attached AuthzRule:
Effective Extended Attributes:
Effective ACL: default-management
Effective POP:
Effective AuthzRule:
pdadmin sec_master> acl show default-management
ACL Name: default-management
Description: Default Management ACL.
Entries:
Group iv-admin TcmdbsvaBtRNWA
Group ivmgrd-servers Ts
Any-other Tv
pdadmin sec_master>
The minimum permissions needed to perform the 'user list' command are 'Tv'. When a user attempts to run this command it will come back with no result, but it will not throw an error when you have no permissions.
------------------------------
JACK YARBOROUGH
------------------------------
Original Message:
Sent: Mon September 19, 2022 12:29 AM
From: Narottam Singh
Subject: Security Issue : No Authorization Needed for reading data for PDADMIN via REST API
Hi Team
we had a scenario where we are reading all the user from the ISAM system through PD admin command
https://{appliance_hostname}/pdadmin
Method : Post
POST_DATA: { "user_id":"The user id", "user_pwd":"The userpassword", "commands": [] }
Expected Result
User with required permission should be able to fetch data from system
Actual Result
Any user without having Group or ACL membership assigned is able to fetch the data which look like security bug
------------------------------
Narottam Singh
------------------------------