Comment 40 for bug 1549483
Revision history for this message
| Nikhil Komawar (nikhil-komawar) wrote | #40 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
So, my emphasis on the points:
1. public images do not come under this attack vector as non-admin user doesn't have rights to manipulate the image location unless someone has enabled publicize_image policy. (As a separate discussion we should consider deprecating and then removing this policy as we have community images now, will save it for later)
2. community images do come, in the case where a user shares an image and intentionally or unintentionally tries to change the image data but the checksum doesn't match. Consumers of the image are affected as the checksum doesn't match and all further references to the image (nova, snapshots, clones, etc) are affected.
3. shared images do come under this umbrella with the policy permissions requires for set & delete location