Comment 19 for bug 1546507
Revision history for this message
| Stuart McLaren (stuart-mclaren) wrote Re: Regular user can delete any image file | #19 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
> Preventing regular user to use the glance image location seems like a regression
1) This would be a more restrictive default policy rather than anything hard coded.
I've always considered exposing the locations to be exposing some of Glance's internals. (I know there are different opinions on this.)
I think the location stuff was made available for anyone who wanted to switch it on, but we put warnings on the config options -- -- "security risk" (with exclamation points!) -- because anyone who is concerned about security really shouldn't be giving direct access to the locations to regular users. There's just too much scope to do bad things (eg this bug).
We can try to make the location stuff less amazingly insecure, but I think that anyone who has enabled it to date should have been aware of the dangers of enabling it for all users.
Deployments which don't allow direct access to the locations for all users will *always* have a much smaller attack surface.
2) As far as I'm aware the killer use case for allowing access to the locations is for performance wins where Cinder can avoid streaming all the image data.
This doesn't require the end user to access the location, just the Cinder service on behalf of the user. This could be done with service tokens.