Hi, of course, you're right. Allowing users to define the FILES is a potential security issue. It would still be nice to enable users to update the other template parameters (e.g. image ID).
I know that this is way more complicated, as each individual parameter would have to be checked. BR, Steffen ----- Ursprüngliche Mail ----- > Hi > Not all CONTEXT attributes are restricted, it is only FILES. So we > only let oneadmin use CONTEXT/FILES. The rationale behind this is > that CONTEXT/FILES means accessing the filesystem using oneadmin > priviledges, and so you can use: > CONTEXT= [ > FILES = "/var/lib/one/one.db /etc/passwd" > ] > and now you have access to the whole one.db or passwd file of the > frontend. > However this maybe safe depending on your setup, e.g. you only let > users access through EC2 or OCCI... > If you can live with that, simply drop the > VM_RESTRICTED_ATTR = "CONTEXT/FILES" > in oned.conf > Cheers > Ruben > On Fri, Oct 26, 2012 at 2:53 PM, Steffen Claus < > [email protected] > wrote: > > Hi, > > > i have a general question regarding the handling of VM-templates > > with > > CONTEXT parameters. > > > I know that the owner has to be either "oneadmin" or a member of > > the > > "oneadmin" group. > > > Since ONE 3.4 it is possible to grant USE-rights on such templates > > for normal users. > > > So far, so good. > > > But now I would also like to change the owner of the template to a > > normal user. Why is this not possible? What are the main concerns > > that led to the decision to only allow "oneadmin" to define CONTEXT > > parameters, respectively, possess templates with such parameters? > > Are there any best practices how to handle this problem? > > > BR, > > > Steffen Claus > > > -- > > > Steffen Claus > > > Fraunhofer-Institut für Algorithmen und Wissenschaftliches Rechnen > > (SCAI) > > > Schloss Birlinghoven > > > D-53754 Sankt Augustin > > > Tel: +49 2241 14-2511 > > > [email protected] > > > http://www.scai.fraunhofer.de > > > _______________________________________________ > > > Users mailing list > > > [email protected] > > > http://lists.opennebula.org/listinfo.cgi/users-opennebula.org > > -- > Ruben S. Montero, PhD > Project co-Lead and Chief Architect > OpenNebula - The Open Source Solution for Data Center Virtualization > www.OpenNebula.org | [email protected] | @OpenNebula -- Steffen Claus Fraunhofer-Institut für Algorithmen und Wissenschaftliches Rechnen (SCAI) Schloss Birlinghoven D-53754 Sankt Augustin Tel: +49 2241 14-2511 [email protected] http://www.scai.fraunhofer.de
_______________________________________________ Users mailing list [email protected] http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
