Comment 2 for bug 1525915
Revision history for this message
| Flavio Percoco (flaper87) wrote Re: Normal user can change image status if show_multiple_locations has been set to true | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
I can confirm this bug and the security risks related to this. A non-admin user can modify public images and inject locations pointing to dangerous images.
We have 2 ways to "fix" this bug:
1) Recommend people to not use this config option on public endpoints until we refactor the import process and remove/improve this functionality
2) Actually fix this bug and backport patches accordingly.
My preference is #2 and we have 3 things to do here, IMHO:
1) Whenever an image is left without locations, it should be moved to 'deleted' as it'd be left without data and that's like deleting the image.
2) Forbid location changes for non-owners. I shouldn't be able to modify locations for an image I don't own as that allows for things like the one reported in this bug. Even if #1 is done, we'll still need this because I user could add a second location and then delete the old one to walk around #1.
3) Change the default policy for `*_image_location` to be admin only.
I'd like to get opinions from folks with access to this bug before we move forward with the fix.