OpenStack Compute (nova)

Image access control is available

Bug #863305 reported by Stanislaw Pitucha on 2011-09-30

272

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
OpenStack Compute (nova)	Fix Released	Medium	Stanislaw Pitucha	OpenStack Compute (nova) 2012.1 "essex"
Diablo	Fix Released	Undecided	Unassigned	OpenStack Compute (nova) 2011.3.1
nova (Ubuntu)	Fix Released	Undecided	Unassigned	Ubuntu ubuntu-11.10

Bug Description

Using glance for images and old style authentication, access control to images is very limited. Basic 2 problems are:
- users cannot see their own snapshots
- users can delete public image which does not belong to them (through nova image-delete)

Tags:

Related branches

lp:~ubuntu-server-dev/nova/diablo

lp:ubuntu/oneiric/nova

lp:ubuntu/oneiric-proposed/nova

lp:~openstack-ubuntu-testing/nova/raring-grizzly

Revision history for this message

Stanislaw Pitucha (stanislaw-pitucha) wrote on 2011-09-30:

Uploaded as:
https://review.openstack.org/761
https://review.openstack.org/762

Those changes have only been done / tested in an environment with old authentication scheme. I may not be aware of additional issues coming from keystone integration.

Revision history for this message

Scott Moser (smoser) wrote on 2011-09-30:

users can delete public images and private images owned by other users. I've verified this in 2011.3.

Dave Walker (davewalker) on 2011-09-30

tags:

added: server-o-rs

Jamie Strandboge (jdstrand) on 2011-09-30

security vulnerability:

no → yes

Dave Walker (davewalker) on 2011-09-30

Changed in nova (Ubuntu):
status:	New → Confirmed
milestone:	none → ubuntu-11.10

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-09-30:

This bug was fixed in the package nova - 2011.3-0ubuntu4

---------------
nova (2011.3-0ubuntu4) oneiric; urgency=low

  [James Page]
  * debian/nova-common.postinst:
    - Exclude mounted LXC rootfs filesystems within /var/lib/nova from
      user/group ownership changes (LP: #861260).
    - Ensure that primary group for 'nova' user is 'nova' so that files
      created by this user have the correct group ownership.

  [Adam Gandelman]
  * debian/nova-common.postinst: Restrict permissions of /var/log/nova
    (LP: #862816)

  [Ante Karamatic]
  * Add /usr/sbin/ietadm to sudoers (LP: #861547)
  * debian/control: Fix typo in Vcs-Bzr

  [Chuck Short]
  * debian/patches/backport-libvirt-console-pipe.patch:
    Move console.log to a ringbuffer so that the console.log
    keeps filling up. (LP: #832507)
  * debian/patches/backport-lxc-container-console-fix.patch:
    Make euca-get-console-output usable for LXC containers.
    (LP: #832159)
  * debian/patches/backport-snapshot-cleanup.patch:
    Enforce snapshot cleanup. (LP: #861582).
  * debian/patches/fix-lp863305-images-permission.patch:
    Fix image access control. (LP: #863305)
-- Chuck Short <email address hidden> Fri, 30 Sep 2011 15:21:56 -0400

Changed in nova (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

Gavin B (gavin-brebner-orange) wrote on 2011-10-18:

Updating bug info for the Openstack side ...

Changed in nova:
status:	New → Confirmed
importance:	Undecided → Medium

Revision history for this message

Openstack Gerrit (openstack-gerrit) wrote on 2011-10-25: Fix merged to nova (master)

Reviewed: https://review.openstack.org/761
Committed: http://github.com/openstack/nova/commit/cb37d895a6b97e294aa838f85227d29892f4e11e
Submitter: Jenkins
Branch: master

status fixcommitted
done

commit cb37d895a6b97e294aa838f85227d29892f4e11e
Author: Loganathan Parthipan <email address hidden>
Date: Thu Sep 29 16:41:49 2011 +0100

Improve access check on images

    Makes sure that users can delete only their own images, snapshots.
    Enable listing of all images, both private which are owned and the public
    ones. Only list the private images/snapshots for the owner and admin users.
    Fixes bug 863305

Change-Id: I7326ec4a99158c8db5319f2397c99c5a89be2cb5

Revision history for this message

Openstack Gerrit (openstack-gerrit) wrote on 2011-11-08: Fix merged to nova (stable/diablo)

Reviewed: https://review.openstack.org/1132
Committed: http://github.com/openstack/nova/commit/c11659215a1cd3e551ce56f089b2682842954b04
Submitter: Jenkins
Branch: stable/diablo

status fixcommitted
done

commit c11659215a1cd3e551ce56f089b2682842954b04
Author: Loganathan Parthipan <email address hidden>
Date: Thu Sep 29 16:41:49 2011 +0100

Improve access check on images

(cherry picked from commit cb37d895a6b97e294aa838f85227d29892f4e11e)

Change-Id: Idc15125371950e0c07b1dac48e8b844887fefc9d

Thierry Carrez (ttx) on 2011-11-25

Changed in nova:
milestone:	none → essex-1
status:	Confirmed → Fix Released

Revision history for this message

Martin Pitt (pitti) wrote on 2011-12-19: Please test proposed package

Hello Stanislaw, or anyone else affected,

Accepted nova into oneiric-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags:

added: verification-needed

Mark McLoughlin (markmc) on 2012-04-03

Changed in nova:
assignee:	nobody → Stanislaw Pitucha (stanislaw-pitucha)

Thierry Carrez (ttx) on 2012-04-05

Changed in nova:
milestone:	essex-1 → 2012.1

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicates of this bug

Bug #870528

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.