Re: [openstack-dev] Lack of quota - security bug or not?
On 12/11/2014 03:16 PM, Thierry Carrez wrote: George Shuklin wrote: On 12/10/2014 10:34 PM, Jay Pipes wrote: On 12/10/2014 02:43 PM, George Shuklin wrote: I have some small discussion in launchpad: is lack of a quota for unprivileged user counted as security bug (or at least as a bug)? If user can create 100500 objects in database via normal API and ops have no way to restrict this, is it OK for Openstack or not? That would be a major security bug. Please do file one and we'll get on it immediately. (private bug at that moment) https://bugs.launchpad.net/ossa/+bug/1401170 There is discussion about this. Quote: Jeremy Stanley (fungi): Traditionally we've not considered this sort of exploit a security vulnerability. The lack of built-in quota for particular kinds of database entries isn't necessarily a design flaw, but even if it can/should be fixed it's likely not going to get addressed in stable backports, is not something for which we would issue a security advisory, and so doesn't need to be kept under secret embargo. Does anyone else disagree? If anyone have access to OSSA tracker, please say your opinion in that bug. It also depends a lot on the details. Is there amplification ? Is there a cost associated ? I bet most public cloud providers would be fine with a user creating and paying for running 100500 instances, and that user would certainly end up creating at least 100500 objects in database via normal API. So this is really a per-report call, which is why we usually discuss them all separately. No one gonna be happy if the single user can grab unlimited resources (like ten /16 nets of white IP's). Whole idea of quotas is to give ops freedom and power to restrict user to comfortable for infrastructure levels of consuming. And every op for every infrastructure decide where is that level. For busy cloud is really hard to detect malicious user before problem happens, and it's really hard to clean up after (10 minutes for each data query after 15 minutes of lazy attack - is serious, I think). ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Lack of quota - security bug or not?
On 11/12/2014 13:16, "Thierry Carrez" wrote: >George Shuklin wrote: >> >> >> On 12/10/2014 10:34 PM, Jay Pipes wrote: >>> On 12/10/2014 02:43 PM, George Shuklin wrote: I have some small discussion in launchpad: is lack of a quota for unprivileged user counted as security bug (or at least as a bug)? If user can create 100500 objects in database via normal API and ops have no way to restrict this, is it OK for Openstack or not? >>> >>> That would be a major security bug. Please do file one and we'll get >>> on it immediately. >>> >> >> (private bug at that moment) >>https://bugs.launchpad.net/ossa/+bug/1401170 >> >> There is discussion about this. Quote: >> >> Jeremy Stanley (fungi): >> Traditionally we've not considered this sort of exploit a security >> vulnerability. The lack of built-in quota for particular kinds of >> database entries isn't necessarily a design flaw, but even if it >> can/should be fixed it's likely not going to get addressed in stable >> backports, is not something for which we would issue a security >> advisory, and so doesn't need to be kept under secret embargo. Does >> anyone else disagree? >> >> If anyone have access to OSSA tracker, please say your opinion in that >>bug. > >It also depends a lot on the details. Is there amplification ? Is there >a cost associated ? I bet most public cloud providers would be fine with >a user creating and paying for running 100500 instances, and that user >would certainly end up creating at least 100500 objects in database via >normal API. > >So this is really a per-report call, which is why we usually discuss >them all separately. > >-- >Thierry Carrez (ttx) Most public cloud providers would not be in any way happy with a new customer spinning up anything like that number of instances. Fraud and Abuse are major concerns for public cloud providers. Automated checks take time. Imagine someone using a stolen but not yet cancelled credit card spinning up 1000¹s of instances. The card checks out ok when the user signs up but has been cancelled by the time the billing cycle closes - massive loss to the cloud provider in at least three ways. Direct lost revenue from that customer, the loss of capacity which possibly stopped other customers bringing business to the platform and finally the likelyhood that the account was setup for malicious purposes, either internet facing or against the cloud infrastructure itself. Please add me to the bug if you¹d like to discuss further. -Rob ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Lack of quota - security bug or not?
George Shuklin wrote: > > > On 12/10/2014 10:34 PM, Jay Pipes wrote: >> On 12/10/2014 02:43 PM, George Shuklin wrote: >>> I have some small discussion in launchpad: is lack of a quota for >>> unprivileged user counted as security bug (or at least as a bug)? >>> >>> If user can create 100500 objects in database via normal API and ops >>> have no way to restrict this, is it OK for Openstack or not? >> >> That would be a major security bug. Please do file one and we'll get >> on it immediately. >> > > (private bug at that moment) https://bugs.launchpad.net/ossa/+bug/1401170 > > There is discussion about this. Quote: > > Jeremy Stanley (fungi): > Traditionally we've not considered this sort of exploit a security > vulnerability. The lack of built-in quota for particular kinds of > database entries isn't necessarily a design flaw, but even if it > can/should be fixed it's likely not going to get addressed in stable > backports, is not something for which we would issue a security > advisory, and so doesn't need to be kept under secret embargo. Does > anyone else disagree? > > If anyone have access to OSSA tracker, please say your opinion in that bug. It also depends a lot on the details. Is there amplification ? Is there a cost associated ? I bet most public cloud providers would be fine with a user creating and paying for running 100500 instances, and that user would certainly end up creating at least 100500 objects in database via normal API. So this is really a per-report call, which is why we usually discuss them all separately. -- Thierry Carrez (ttx) ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Lack of quota - security bug or not?
On 12/10/2014 10:34 PM, Jay Pipes wrote: On 12/10/2014 02:43 PM, George Shuklin wrote: I have some small discussion in launchpad: is lack of a quota for unprivileged user counted as security bug (or at least as a bug)? If user can create 100500 objects in database via normal API and ops have no way to restrict this, is it OK for Openstack or not? That would be a major security bug. Please do file one and we'll get on it immediately. (private bug at that moment) https://bugs.launchpad.net/ossa/+bug/1401170 There is discussion about this. Quote: Jeremy Stanley (fungi): Traditionally we've not considered this sort of exploit a security vulnerability. The lack of built-in quota for particular kinds of database entries isn't necessarily a design flaw, but even if it can/should be fixed it's likely not going to get addressed in stable backports, is not something for which we would issue a security advisory, and so doesn't need to be kept under secret embargo. Does anyone else disagree? If anyone have access to OSSA tracker, please say your opinion in that bug. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Lack of quota - security bug or not?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 10/12/14 22:12, Jeremy Stanley wrote: > On 2014-12-10 16:07:35 -0500 (-0500), Jay Pipes wrote: >> On 12/10/2014 04:05 PM, Jeremy Stanley wrote: >>> I think the bigger question is whether the lack of a quota >>> implementation for everything a tenant could ever possibly >>> create is something we should have reported in secret, worked >>> under embargo, backported to supported stable branches, and >>> announced via high-profile security advisories once fixed. >> >> Sure, fine. > > Any tips for how to implement new quota features in a way that the > patches won't violate our stable backport policies? > If we consider it a security issue worth CVE, then security concerns generally beat stability concerns. We'll obviously need to document the change in default behaviour in release notes though, and maybe provide a documented way to disable the change for stable releases (I suspect we already have a way to disable specific quotas, but we should make sure it's the case and we provide operators commands ready to be executed to achieve this). /Ihar -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) iQEcBAEBCgAGBQJUiXeoAAoJEC5aWaUY1u57i3EIAMZp5XoTfayE2EblAruo+hK+ I4c8EvrhCNOVe51BsI42VFkuqp4vf9nKpHYz/PtSOp/9tLxXgpt0tFgEEOUS2xR9 rIMR0vkJSLWgT6v7aGMR7cDQ1MSGkmjCQl2SgmRgsyG0Jcx1/+El9zUToTI9hTFu Yw97cN04j/pFda7Noo91ck7htq0pSCsLtR2jRVePgcIc6UeW372aaXn8zboTtCks c03VXiZHc5TpZurZiFopT+CLbiDl5k0JvMuptP7YOhnfzzNsaaL/Bd8+9f6SGpol Dy7Ha2CDsAl1WEMx0VvAHvH5O4YRbbE0sIvY1r0pxmMQB8lJwx6KfcDwIrer2Og= =ZY3+ -END PGP SIGNATURE- ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Lack of quota - security bug or not?
On 2014-12-10 16:07:35 -0500 (-0500), Jay Pipes wrote: > On 12/10/2014 04:05 PM, Jeremy Stanley wrote: > > I think the bigger question is whether the lack of a quota > > implementation for everything a tenant could ever possibly > > create is something we should have reported in secret, worked > > under embargo, backported to supported stable branches, and > > announced via high-profile security advisories once fixed. > > Sure, fine. Any tips for how to implement new quota features in a way that the patches won't violate our stable backport policies? -- Jeremy Stanley ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Lack of quota - security bug or not?
On 12/10/2014 04:05 PM, Jeremy Stanley wrote: On 2014-12-10 15:34:57 -0500 (-0500), Jay Pipes wrote: On 12/10/2014 02:43 PM, George Shuklin wrote: I have some small discussion in launchpad: is lack of a quota for unprivileged user counted as security bug (or at least as a bug)? If user can create 100500 objects in database via normal API and ops have no way to restrict this, is it OK for Openstack or not? That would be a major security bug. Please do file one and we'll get on it immediately. I think the bigger question is whether the lack of a quota implementation for everything a tenant could ever possibly create is something we should have reported in secret, worked under embargo, backported to supported stable branches, and announced via high-profile security advisories once fixed. Sure, fine. -jay ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Lack of quota - security bug or not?
On 2014-12-10 15:34:57 -0500 (-0500), Jay Pipes wrote: > On 12/10/2014 02:43 PM, George Shuklin wrote: > > I have some small discussion in launchpad: is lack of a quota > > for unprivileged user counted as security bug (or at least as a > > bug)? > > > > If user can create 100500 objects in database via normal API and > > ops have no way to restrict this, is it OK for Openstack or not? > > That would be a major security bug. Please do file one and we'll > get on it immediately. I think the bigger question is whether the lack of a quota implementation for everything a tenant could ever possibly create is something we should have reported in secret, worked under embargo, backported to supported stable branches, and announced via high-profile security advisories once fixed. -- Jeremy Stanley ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Lack of quota - security bug or not?
On 12/10/2014 02:43 PM, George Shuklin wrote: I have some small discussion in launchpad: is lack of a quota for unprivileged user counted as security bug (or at least as a bug)? If user can create 100500 objects in database via normal API and ops have no way to restrict this, is it OK for Openstack or not? That would be a major security bug. Please do file one and we'll get on it immediately. Thanks, -jay ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] Lack of quota - security bug or not?
I have some small discussion in launchpad: is lack of a quota for unprivileged user counted as security bug (or at least as a bug)? If user can create 100500 objects in database via normal API and ops have no way to restrict this, is it OK for Openstack or not? ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev