On 20/10/11 00:55, Justin Clift wrote: > > Just noticed something really old, but might still be important as it > sounds indicative of a security problem. > > <snip> >> * ... The >> mock driver stores its files in /var/tmp (how well does that >> actually work under Windows ?) > > Just to ask the question, does this mean we have an information leak > here, where "other users on a server" can potentially get details? >
The 'files' that mock driver stores are the 'yaml' files that model each resource collection - e.g. yaml files describing images that are listed when the client does GET /api/images. So nothing sensitive like credentials/anything else interesting... > Also thinking "race condition", if more than one user is doing stuff > with mock at the same time. (?) If such a race can occur, and affect > more than just mock, sounds like an easy DoS any time there's a self > service user interface. (ie Aeolus) Depends ... the Rakefile under /path/to/deltacloud/server looks for an environment variable called 'DELTACLOUD_MOCK_STORAGE' - if this is set then the yaml files go there. Otherwise, they are stored under /var/tmp/deltacloud-mock-UNSERNAME/ so they will be different for each user. In theory if two users have the same 'DELTACLOUD_MOCK_STORAGE' then there might be conflict. Also, I'm not sure how well all this plays out if you are using Windows. marios > > Regards and best wishes, > > Justin Clift > > -- > Aeolus Community Manager > http://www.aeolusproject.org > >
