Skip to content
This repository has been archived by the owner on Dec 15, 2020. It is now read-only.

Security Update
Compare
Choose a tag to compare
@djw8605 djw8605 released this 26 Mar 16:35
· 44 commits to master since this release
v1.2.0
124062e
This commit was signed with the committer’s verified signature.
djw8605 Derek Weitzel
GPG key ID: E81016349F44B760
Learn about vigilant mode.

This release fixes a security issue when parsing scitokens.

Summary:

The xrootd-scitokens plugin v1.1.0 (and earlier) contains an authorization logic error that permits both read and write access to files when the user’s token authorizes only read or write permission.

Impact:

An authorized user with a valid token granting read access to files also obtains write access to those files (and vice versa). The impact does not apply to typical xrootd-scitokens deployment scenarios: (a) read-only filesystems (e.g., accessing caches) or (b) where both read and write permissions are granted for all generated tokens (e.g., OSG-Connect).

Recommendation:

Update to xrootd-scitokens plugin v1.2 (or later) and restart of xrootd is recommended.

Assets 2