On 12/10/2014 10:34 PM, Jay Pipes wrote:
On 12/10/2014 02:43 PM, George Shuklin wrote:
I have some small discussion in launchpad: is lack of a quota for
unprivileged user counted as security bug (or at least as a bug)?
If user can create 100500 objects in database via normal API and ops
have no way to restrict this, is it OK for Openstack or not?
That would be a major security bug. Please do file one and we'll get
on it immediately.
(private bug at that moment) https://bugs.launchpad.net/ossa/+bug/1401170
There is discussion about this. Quote:
Jeremy Stanley (fungi):
Traditionally we've not considered this sort of exploit a security
vulnerability. The lack of built-in quota for particular kinds of
database entries isn't necessarily a design flaw, but even if it
can/should be fixed it's likely not going to get addressed in stable
backports, is not something for which we would issue a security
advisory, and so doesn't need to be kept under secret embargo. Does
anyone else disagree?
If anyone have access to OSSA tracker, please say your opinion in that bug.
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
