Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91
fleet/cmd
History
Sharon Katz 7e0d0db1b1
Fix TOCTOU race in last global admin protection (#42172) 
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.

## Testing

- [X] QA'd all new/changed functionality manually

Server log when SCIM ingestion receives a deactivation event for the
last admin:
```log
ts=2026-04-01T15:23:01Z level=error msg="failed to delete fleet user on deactivation" component=SCIM err="cannot delete last global admin"
```
Server response when attempting to demote last admin:
```json
{
  "message": "Validation Failed",
  "errors": [
    {
      "name": "global_role",
      "reason": "cannot demote the last global admin"
    }
  ],
  "uuid": "1d110f56-25ac-47b8-bc96-982354474a87"
}
```
Server response when attempting to delete last admin:
```json
{
  "message": "Validation Failed",
  "errors": [
    {
      "name": "id",
      "reason": "cannot delete the last global admin"
    }
  ],
  "uuid": "1448c2da-30e2-4652-a9a8-a01fc4f9b9c1"
}
```

---

## Original AI Summary

- Fixes a TOCTOU race condition where two concurrent admin operations
could bypass the last-global-admin guard, leaving zero admins and
permanently locking out the Fleet instance (fleetdm/confidential#14827)
- Introduces two new atomic datastore methods
(`DeleteUserIfNotLastAdmin`, `SaveUserIfNotLastAdmin`) that wrap the
admin count check and the write in a single MySQL transaction with
`SELECT ... FOR UPDATE`
- Fixes all four vulnerable code paths: service `DeleteUser`, service
`ModifyUser` (two demotion paths), and SCIM user deletion

## Test plan

- [X] Manual verification: single admin cannot be deleted or demoted

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
2026-04-01 15:00:08 -03:00
..
cpe Add sw_edition to cpe db generation and cpe translations (#32879) 2025-09-17 11:30:49 -04:00
cve Reapply "Update Citrix Workspace CPE generation to distinguish betwee… (#41614) 2026-03-12 16:17:40 -07:00
fleet use redis to block double profile work for apple devices setting up (#42421) 2026-03-30 16:37:18 -05:00
fleetctl Fix TOCTOU race in last global admin protection (#42172) 2026-04-01 15:00:08 -03:00
gitops-migrate Add back gitops-migrate file (#33981) 2025-10-08 09:44:59 -05:00
macoffice Add new archive URL as data source for Mac Office release notes (#26978) 2025-03-10 08:46:18 -05:00
maintained-apps Cleanup temp installer files after download (#42463) 2026-03-30 10:14:36 -05:00
msrc Fix CI: extend grace periods for MSRC feeds and expand test coverage for file validation. (#37991) 2026-01-07 10:28:20 -06:00
osquery-perf Make orbit and Fleet Desktop not depend on server/service/ packages (#42231) 2026-03-26 10:59:42 -03:00
osv-processor OSV delta generation fix (#42697) 2026-03-31 13:21:06 -05:00