incubator-deltacloud-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Lutterkort <lut...@redhat.com>
Subject Re: [PATCH] dmtf reference implementation initial checkin
Date Mon, 31 Oct 2011 22:44:40 GMT
On Thu, 2011-10-20 at 08:55 +1100, Justin Clift wrote:
> On 29/09/2011, at 9:34 AM, David Lutterkort wrote:
> Just noticed something really old, but might still be important as it
> sounds indicative of a security problem.
> 
> <snip>
> >      * ... The
> >        mock driver stores its files in /var/tmp (how well does that
> >        actually work under Windows ?)
> 
> Just to ask the question, does this mean we have an information leak
> here, where "other users on a server" can potentially get details?
> 
> Also thinking "race condition", if more than one user is doing stuff
> with mock at the same time.  (?) If such a race can occur, and affect
> more than just mock, sounds like an easy DoS any time there's a self
> service user interface.  (ie Aeolus)

The mock driver is not safe at all, almost by design. It's not too hard
for two concurrent requests to clobber each other. On the plus side,
there's no race between users, since the mock driver only supports a
single user, 'mockuser'. Just to be clear: the mock driver is a toy,
useful for development, and for showing Deltacloud to your mom. Not much
more.

Other drivers do not share those limitations, since they do not use
serevr-local storage, and the remote (cloud) storage they use, as in the
case of the vSphere driver, should be safe from any sort of
concurrent-write issues. Though a review to that end would be much
appreciated.

David



Mime
View raw message