Published as OSSN-0015 on the wiki and the openstack and openstack-dev mailing lists:
https://wiki.openstack.org/wiki/OSSN/OSSN-0015 ** Changed in: ossn Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1313746 Title: Non-admins can create public images Status in OpenStack Image Registry and Delivery Service (Glance): New Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: Fix Released Bug description: Glance documentation ( http://docs.openstack.org/developer/glance/glanceapi.html ) states: > Note Use of the is_public parameter is restricted to admin users. For all other users it will be ignored. However, this is not true on havana, ie. with horizon: - user a uploads an image with is_public checkbox **checked**, - user b logs in and can see that image in /project/images_and_snapshots/ It is reproducible with the command line of course: vagrant@precise64:/opt/stack/horizon$ glance --os-username aa --os-password aa --os-tenant-name aa --os-auth-url http://127.0.0.1:5000/v2.0 image-create --is-public True --name hacked --disk-format qcow2 --container-format bare --file cirros-0.3.2-x86_64-disk.img +------------------+--------------------------------------+ | Property | Value | +------------------+--------------------------------------+ | checksum | 64d7c1cd2b6f60c92c14662941cb7913 | | container_format | bare | | created_at | 2014-04-28T14:10:07 | | deleted | False | | deleted_at | None | | disk_format | qcow2 | | id | 8f843998-d69f-42ee-90a2-24031aa8fe5b | | is_public | True | | min_disk | 0 | | min_ram | 0 | | name | hacked | | owner | c8df7a80acd44967a757ad1e346f3340 | | protected | False | | size | 13167616 | | status | active | | updated_at | 2014-04-28T14:10:07 | +------------------+--------------------------------------+ vagrant@precise64:/opt/stack/horizon$ glance --os-username bb --os-password bb --os-tenant-name bb --os-auth-url http://127.0.0.1:5000/v2.0 image-list +--------------------------------------+---------------------------------+-------------+------------------+----------+--------+ | ID | Name | Disk Format | Container Format | Size | Status | +--------------------------------------+---------------------------------+-------------+------------------+----------+--------+ | d6b482f7-7922-46f2-b501-11d18fb20f41 | cirros-0.3.1-x86_64-uec | ami | ami | 25165824 | active | | 5579dc39-06ba-4fa8-a9d9-b26d66e8a0b0 | cirros-0.3.1-x86_64-uec-kernel | aki | aki | 4955792 | active | | bdfc240a-2c6b-4511-bf72-0b5a9453a24a | cirros-0.3.1-x86_64-uec-ramdisk | ari | ari | 3714968 | active | | 8f843998-d69f-42ee-90a2-24031aa8fe5b | hacked | qcow2 | bare | 13167616 | active | +--------------------------------------+---------------------------------+-------------+------------------+----------+--------+ Potentially, a malicious user could upload an image with a backdoor and make it available to the public. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1313746/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
