Glance

Non-admins can create public images

Bug #1313746 reported by James Pic
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Fix Released
Undecided
Aaron Rosen
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned
OpenStack Security Notes
Fix Released
High
Nathan Kinder

Bug Description

Glance documentation ( http://docs.openstack.org/developer/glance/glanceapi.html ) states:

> Note Use of the is_public parameter is restricted to admin users. For all other users it will be ignored.

However, this is not true on havana, ie. with horizon:

- user a uploads an image with is_public checkbox **checked**,
- user b logs in and can see that image in /project/images_and_snapshots/

It is reproducible with the command line of course:

vagrant@precise64:/opt/stack/horizon$ glance --os-username aa --os-password aa --os-tenant-name aa --os-auth-url http://127.0.0.1:5000/v2.0 image-create --is-public True --name hacked --disk-format qcow2 --container-format bare --file cirros-0.3.2-x86_64-disk.img
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | 64d7c1cd2b6f60c92c14662941cb7913 |
| container_format | bare |
| created_at | 2014-04-28T14:10:07 |
| deleted | False |
| deleted_at | None |
| disk_format | qcow2 |
| id | 8f843998-d69f-42ee-90a2-24031aa8fe5b |
| is_public | True |
| min_disk | 0 |
| min_ram | 0 |
| name | hacked |
| owner | c8df7a80acd44967a757ad1e346f3340 |
| protected | False |
| size | 13167616 |
| status | active |
| updated_at | 2014-04-28T14:10:07 |
+------------------+--------------------------------------+
vagrant@precise64:/opt/stack/horizon$ glance --os-username bb --os-password bb --os-tenant-name bb --os-auth-url http://127.0.0.1:5000/v2.0 image-list
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| d6b482f7-7922-46f2-b501-11d18fb20f41 | cirros-0.3.1-x86_64-uec | ami | ami | 25165824 | active |
| 5579dc39-06ba-4fa8-a9d9-b26d66e8a0b0 | cirros-0.3.1-x86_64-uec-kernel | aki | aki | 4955792 | active |
| bdfc240a-2c6b-4511-bf72-0b5a9453a24a | cirros-0.3.1-x86_64-uec-ramdisk | ari | ari | 3714968 | active |
| 8f843998-d69f-42ee-90a2-24031aa8fe5b | hacked | qcow2 | bare | 13167616 | active |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+

Potentially, a malicious user could upload an image with a backdoor and make it available to the public.

Tristan Cacqueray (tristan-cacqueray)
Changed in ossa:
status: New → Incomplete
Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

Thanks, we'll try to reproduce the cli part of this.

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

Can you post the policy.json file that's being used by the glance server?

Thanks.

Revision history for this message
James Pic (jamespic) wrote :

Sure:

{
    "context_is_admin": "role:admin",
    "default": "",
    "manage_image_cache": "role:admin"
}

Revision history for this message
James Pic (jamespic) wrote :

Apparently we can secure it with "publicize_image": "role:admin". However, we might want to update the documentation. What's your take on this ?

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

I see two options:

1) update the doc to fit the default policy
2) update the default policy to fit the doc (I'm guessing things worked as documented at some point.)

I'm wondering if (2) might be the way to go. Restricting publicize seems a sensible default (as long as others
are ok with this and it doesn't have any unforeseen side effect on eg tempest).

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

Actually, I've just re-read the docs you listed (http://docs.openstack.org/developer/glance/glanceapi.html ). (I think I wrote the original note!) "For non-admin is_public will be ignored" -- but this is only relevant for image list style operations. The relevant note is in the 'Filtering Images Lists' section. The note isn't relevant for image create operations.

So I think the doc is ok (although perhaps it could be made clearer in some way).

We still need to decide if we think it makes sense to change the default policy for
"publicize_image", ie to make it admin only.

Revision history for this message
Flavio Percoco (flaper87) wrote :

I think it makes sense to change the default for "publicize_image".

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

Thanks Flavio,

I think I'd prefer to see the default as admin too: I'm just wondering if we can change it without any side effects? eg would we negatively impact anybody who's depending on the existing behaviour? Is this something its ok just to document a change in behaviour?

Revision history for this message
Thierry Carrez (ttx) wrote :

The default could be changed but only for future releases (i.e. this is not a backportable change). That said, I don't think this is a vulnerability: it's a feature with a permissive default value.

If that default value is deemed insecure, the OSSG might want to document it as such in a OSSN. In all cases, I don't think there is much valud in keeping this private. Thoughts ?

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

> I don't think there is much value in keeping this private.

Agreed.

Revision history for this message
Thierry Carrez (ttx) wrote :

OK, unless someone complains, I'll open this one and ask the OSSg if they want to do an OSSN about it.

Revision history for this message
Thierry Carrez (ttx) wrote :

Adding Nathan Kinder and Rob Clark from OSSG so that they can chime in before we make this public.

Revision history for this message
Robert Clark (robert-clark) wrote :

If the proposal is to make it a more sensible default in future and release an OSSN covering this and previous releases I'd be happy enough with that.

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote :

> a more sensible default

Yup:

https://review.openstack.org/#/c/92739/

we need a tempest change to land first.

(This only makes it default, it won't affect anyone who already sets it explicitly.)

Revision history for this message
Nathan Kinder (nkinder) wrote :

An OSSN seems appropriate to me. We can recommend changing the value to restrict public image uploads to admin for curent releases.

Revision history for this message
Thierry Carrez (ttx) wrote :

OK, opened and added OSSN task

information type: Private Security → Public
Changed in ossa:
status: Incomplete → Won't Fix
Nathan Kinder (nkinder)
Changed in ossn:
assignee: nobody → Nathan Kinder (nkinder)
importance: Undecided → High
status: New → In Progress
Revision history for this message
Nathan Kinder (nkinder) wrote :

Published as OSSN-0015 on the wiki and the openstack and openstack-dev mailing lists:

https://wiki.openstack.org/wiki/OSSN/OSSN-0015

Changed in ossn:
status: In Progress → Fix Released
Aaron Rosen (arosen)
Changed in glance:
assignee: nobody → Aaron Rosen (arosen)
Thierry Carrez (ttx)
Changed in glance:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.