yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #16448
[Bug 1313746] Re: Non-admins can create public images
** Changed in: glance
Status: New => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1313746
Title:
Non-admins can create public images
Status in OpenStack Image Registry and Delivery Service (Glance):
Fix Released
Status in OpenStack Security Advisories:
Won't Fix
Status in OpenStack Security Notes:
Fix Released
Bug description:
Glance documentation (
http://docs.openstack.org/developer/glance/glanceapi.html ) states:
> Note Use of the is_public parameter is restricted to admin users.
For all other users it will be ignored.
However, this is not true on havana, ie. with horizon:
- user a uploads an image with is_public checkbox **checked**,
- user b logs in and can see that image in /project/images_and_snapshots/
It is reproducible with the command line of course:
vagrant@precise64:/opt/stack/horizon$ glance --os-username aa --os-password aa --os-tenant-name aa --os-auth-url http://127.0.0.1:5000/v2.0 image-create --is-public True --name hacked --disk-format qcow2 --container-format bare --file cirros-0.3.2-x86_64-disk.img
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | 64d7c1cd2b6f60c92c14662941cb7913 |
| container_format | bare |
| created_at | 2014-04-28T14:10:07 |
| deleted | False |
| deleted_at | None |
| disk_format | qcow2 |
| id | 8f843998-d69f-42ee-90a2-24031aa8fe5b |
| is_public | True |
| min_disk | 0 |
| min_ram | 0 |
| name | hacked |
| owner | c8df7a80acd44967a757ad1e346f3340 |
| protected | False |
| size | 13167616 |
| status | active |
| updated_at | 2014-04-28T14:10:07 |
+------------------+--------------------------------------+
vagrant@precise64:/opt/stack/horizon$ glance --os-username bb --os-password bb --os-tenant-name bb --os-auth-url http://127.0.0.1:5000/v2.0 image-list
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| d6b482f7-7922-46f2-b501-11d18fb20f41 | cirros-0.3.1-x86_64-uec | ami | ami | 25165824 | active |
| 5579dc39-06ba-4fa8-a9d9-b26d66e8a0b0 | cirros-0.3.1-x86_64-uec-kernel | aki | aki | 4955792 | active |
| bdfc240a-2c6b-4511-bf72-0b5a9453a24a | cirros-0.3.1-x86_64-uec-ramdisk | ari | ari | 3714968 | active |
| 8f843998-d69f-42ee-90a2-24031aa8fe5b | hacked | qcow2 | bare | 13167616 | active |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
Potentially, a malicious user could upload an image with a backdoor
and make it available to the public.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1313746/+subscriptions