← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1313746] Re: Non-admins can create public images

 

OK, opened and added OSSN task

** Information type changed from Private Security to Public

** Also affects: ossn
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1313746

Title:
  Non-admins can create public images

Status in OpenStack Image Registry and Delivery Service (Glance):
  New
Status in OpenStack Security Advisories:
  Won't Fix
Status in OpenStack Security Notes:
  New

Bug description:
  Glance documentation (
  http://docs.openstack.org/developer/glance/glanceapi.html ) states:

  > Note Use of the is_public parameter is restricted to admin users.
  For all other users it will be ignored.

  However, this is not true on havana, ie. with horizon:

  - user a uploads an image with is_public checkbox **checked**,
  - user b logs in and can see that image in /project/images_and_snapshots/

  It is reproducible with the command line of course:

  vagrant@precise64:/opt/stack/horizon$ glance --os-username aa --os-password aa --os-tenant-name aa --os-auth-url http://127.0.0.1:5000/v2.0 image-create --is-public True --name hacked --disk-format qcow2 --container-format bare --file cirros-0.3.2-x86_64-disk.img           
  +------------------+--------------------------------------+
  | Property         | Value                                |
  +------------------+--------------------------------------+
  | checksum         | 64d7c1cd2b6f60c92c14662941cb7913     |
  | container_format | bare                                 |
  | created_at       | 2014-04-28T14:10:07                  |
  | deleted          | False                                |
  | deleted_at       | None                                 |
  | disk_format      | qcow2                                |
  | id               | 8f843998-d69f-42ee-90a2-24031aa8fe5b |
  | is_public        | True                                 |
  | min_disk         | 0                                    |
  | min_ram          | 0                                    |
  | name             | hacked                               |
  | owner            | c8df7a80acd44967a757ad1e346f3340     |
  | protected        | False                                |
  | size             | 13167616                             |
  | status           | active                               |
  | updated_at       | 2014-04-28T14:10:07                  |
  +------------------+--------------------------------------+
  vagrant@precise64:/opt/stack/horizon$ glance --os-username bb --os-password bb --os-tenant-name bb --os-auth-url http://127.0.0.1:5000/v2.0 image-list
  +--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
  | ID                                   | Name                            | Disk Format | Container Format | Size     | Status |
  +--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
  | d6b482f7-7922-46f2-b501-11d18fb20f41 | cirros-0.3.1-x86_64-uec         | ami         | ami              | 25165824 | active |
  | 5579dc39-06ba-4fa8-a9d9-b26d66e8a0b0 | cirros-0.3.1-x86_64-uec-kernel  | aki         | aki              | 4955792  | active |
  | bdfc240a-2c6b-4511-bf72-0b5a9453a24a | cirros-0.3.1-x86_64-uec-ramdisk | ari         | ari              | 3714968  | active |
  | 8f843998-d69f-42ee-90a2-24031aa8fe5b | hacked                          | qcow2       | bare             | 13167616 | active |
  +--------------------------------------+---------------------------------+-------------+------------------+----------+--------+

  Potentially, a malicious user could upload an image with a backdoor
  and make it available to the public.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1313746/+subscriptions