This repository has been archived by the owner on Dec 15, 2020. It is now read-only.
Security Update
This release fixes a security issue when parsing scitokens.
Summary:
The xrootd-scitokens plugin v1.1.0 (and earlier) contains an authorization logic error that permits both read and write access to files when the user’s token authorizes only read or write permission.
Impact:
An authorized user with a valid token granting read access to files also obtains write access to those files (and vice versa). The impact does not apply to typical xrootd-scitokens deployment scenarios: (a) read-only filesystems (e.g., accessing caches) or (b) where both read and write permissions are granted for all generated tokens (e.g., OSG-Connect).
Recommendation:
Update to xrootd-scitokens plugin v1.2 (or later) and restart of xrootd is recommended.