edge-control: deregister has no ownership check — any authorized SSH key can take over any project #1091
Labels
No labels
action
backlog
blocked
bug-report
cannot-reproduce
in-progress
in-triage
needs-triage
prediction/actioned
prediction/dismissed
prediction/unreviewed
priority
rejected
reproduced
tech-debt
underspecified
vision
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: disinto-admin/disinto#1091
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Mirrored from johba/disinto#832
---## Problem
tools/edge-control/register.sh:109-144(do_deregister) removes a project from the registry with no check that the caller owns it. The only auth gate is SSH access to thedisinto-registeruser (forced command seeded ininstall.sh:363). Any key in thatauthorized_keysfile can:deregister <project>on any project, regardless of who registered it.register <project> <attacker-pubkey>and reclaim the name.The first-write-wins pubkey binding in
lib/ports.sh:74-82protects a live registration —allocate_portearly-returns the existing port without touching the stored pubkey — but offers no protection once the entry has been deleted.Today, with only one admin key seeded by
install.sh, the blast radius is bounded by that key. The gap becomes severe as soon as a second operator key is added or the admin key is compromised.Proposal
Require the caller to prove ownership on
deregister:deregister <project> <pubkey>.do_deregister, load.projects[$project].pubkeyfromregistry.jsonand refuse unless the supplied pubkey matches byte-for-byte.{"error":"pubkey mismatch"}on failure; do not reveal the stored pubkey.This is a one-function change in
register.shplus the dev-box CLI update that calls it.Acceptance
deregisterwithout a matching pubkey returns an error and leaves the registry untouched.deregisterwith the correct pubkey works as today.