yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #24048
[Bug 1354512] Re: Anonymous user can download public image through Swift
This was published as OSSN-0025:
https://wiki.openstack.org/wiki/OSSN/OSSN-0025
** Changed in: ossn
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1354512
Title:
Anonymous user can download public image through Swift
Status in OpenStack Image Registry and Delivery Service (Glance):
New
Status in OpenStack Security Advisories:
Won't Fix
Status in OpenStack Security Notes:
Fix Released
Bug description:
When Glance uses Swift as backend, and Swift uses delay_auth_decision
feature (for temporary urls, for example), anyone can download public
images anonymously from Swift by direct url.
Steps to reproduce:
1 Set
delay_auth_decision = 1
in Swift's proxy-server.conf.
Set
default_store = swift
swift_store_multi_tenant = True
swift_store_create_container_on_put = True
in Glance's glance-api.conf.
2 Create a public image.
glance image-create --name fake_image --file <some_text_file_name> --is-public True
You may use a text file to reproduce the error for descriptive reasons.
Use the got image id at the next step.
3 Download created image by curl.
curl <swift_endpoint>/glance_<image_id>/<image_id>
See your file in the output.
If swift_store_container in your glance-api.conf is not 'glance', use appropriate prefix in the command above.
Glance set read ACL to '.r:*,.rlistings' for all public images. Thus
since anyone has access into Swift (by delay_auth_decision parameter),
anyone can download a public image.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1354512/+subscriptions