User with no access to _system can get/set server license #20685

DiscoPYF · 2024-03-04T20:41:59Z

My Environment

ArangoDB Version: 3.11.8
Deployment Mode: Single Server
Deployment Strategy: Manual Start in Docker (Docker Desktop v4.72.2, WSL version: 2.0.9.0)
Configuration: N/A
Infrastructure: Laptop
Operating System: Windows 11 Pro 23H2
Total RAM in your machine: 32Gb
Disks in use: NVMe SSD
Used Package: N/A

Affected feature: Server license (user access to /_admin/license)

AQL query (if applicable): N/A

AQL explain and/or profile (if applicable): N/A

Dataset: N/A

Size of your Dataset on disk: N/A

Replication Factor & Number of Shards (Cluster only): N/A

Create a new container for image arangodb/enterprise:3.11.8.
Docker run command: docker run --hostname=<hostname> --mac-address=<mac_address> --env=ARANGO_ROOT_PASSWORD=root --env=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin --env=GLIBCXX_FORCE_NEW=1 -p 8530:8529 --restart=no --runtime=runc -d arangodb/enterprise:3.11.8
Set a new license with root user PUT http://localhost:8530/_db/_system/_admin/license
Create new user jdoe
Create DB jdoedb
Set access for jdoe in the web UI ("No Access" to _system, "Access" to jdoedb)

Problem:

Calls to get/set license with DB jdoedb and authenticated with jdoe user are successful (Tested with basic auth). jdoe is able to get and set the server license even though he doesn't have access to _system.

See screenshots below. On the left, access for jdoe user. On the right, API calls with Postman.

Expected result:

Calls to get/set license with DB jdoedb and authenticated with jdoe user are unauthorized. jdoe is not able to get and set the server license because he doesn't have access to _system.

The text was updated successfully, but these errors were encountered:

asifkazi · 2024-03-05T20:31:01Z

Will have engineering look into this, and try and test it later today, but I would suggest turning on server hardening to start with: https://docs.arangodb.com/3.11/operations/security/security-options/