cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pranav Saxena <pranav.sax...@citrix.com>
Subject RE: on templates size again (possibly security issue)
Date Mon, 18 Feb 2013 04:48:44 GMT
The fix suggested by Nitin at the API level is perfect. Though, if you want you can also have
a fix at the UI layer as well by not allowing the user to register a template. 

-----Original Message-----
From: Nitin Mehta [mailto:Nitin.Mehta@citrix.com] 
Sent: Monday, February 18, 2013 10:09 AM
To: cloudstack-users@incubator.apache.org
Subject: Re: on templates size again (possibly security issue)

Lucian - If that be the case please file a bug with your relevant logs in it. I am surprised
see it though.

Easy way out is to disable the user registering a template is to set max template limit to
0 in global config. But this will also disable him to create template from snapshot.
Other way out is to set the permissions bits for register template api to
7 in the code which will exactly fix this problem.

On 18/02/13 12:29 AM, "Nux!" <nux@li.nux.ro> wrote:

>Hello,
>
>This is related to our recent discussion on customising the ROOT 
>disk[1], being a bit unhappy about it I tried to test stuff and see how 
>this could inconvenience users or admins.
>
>So I created a 1 TB Centos 6 qcow2 template (compressed is more like
>400 MB, but uncompressed is 10GB or so.. thanks ext4!) and tried to 
>deploy it. Not only has Cloudstack (ACS 4.0.1) gladly downloaded and 
>uncompressed the template even though the remote URL was NOT in the 
>allowed list, but it also created an instance from it.. with 1 TB of 
>space ... all this was done as a regular user, not admin.
>
>First thing I would need to do is disable the users' ability to 
>register templates.. any pointers?
>
>
>Lucian
>
>
>[1] -
>http://markmail.org/message/s2mp5b2x5pzjt634?q=list:org%2Eapache%2Eincu
>bat
>or%2Ecloudstack-users+ROOT
>
>
>--
>Sent from the Delta quadrant using Borg technology!
>
>Nux!
>www.nux.ro


Mime
View raw message