[Bug 1521560] [NEW] User can delete any image
Viktor Křivák
viktor.krivak at gmail.com
Tue Dec 1 10:21:44 UTC 2015
*** This bug is a security vulnerability ***
Public security bug reported:
Not sure if I don't have some typo in config but it is look like that
from Kilo, user can delete any image via nova API. Only uuid is needed.
Also user can list every image image in system even non public which
doesn't belong to him.
# Image info:
$ glance image-show 3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | ee1eca47dc88f4879d8a229cc70a07c6 |
| container_format | bare |
| created_at | 2015-11-30T18:08:05Z |
| disk_format | qcow2 |
| hw_vif_model | e1000 |
| id | 3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba |
| min_disk | 0 |
| min_ram | 0 |
| name | Cirros 0.3.4 |
| owner | d697f13bce95426d82179c216a8e3f1c |
| protected | False |
| size | 13287936 |
| status | active |
| tags | [] |
| updated_at | 2015-11-30T18:08:06Z |
| virtual_size | None |
| visibility | public |
+------------------+--------------------------------------+
# Notice it is just public image with owner (another as myself)
# My session
$openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-12-01T11:03:03.988742Z |
| id | ################################ |
| project_id | 873a42b1eb3a42768f6b702c55b5c932 |
| user_id | 37d0d3638ab243f786e68649fad84354 |
+------------+----------------------------------+
# And then this somehow works
$ nova image-delete 3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba
$ nova image-list
+--------------------------------------+---------------------+--------+--------+
| ID | Name | Status | Server |
+--------------------------------------+---------------------+--------+--------+
| 90678a27-c1e7-499b-9c06-bc6c01e100b3 | Debian 7 - Refstack | ACTIVE | |
| f851e1d7-9e17-4c6f-beda-de3b3ea40db1 | Debian 8 | ACTIVE | |
+--------------------------------------+---------------------+--------+--------+
$ nova image-show 3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba
ERROR (CommandError): No image with a name or ID of '3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba' exists.
$ glance image-show 3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba
404 Not Found: No image found with ID 3ce0aadd-2e79-4d6b-86db-5ccd0fce3eba (HTTP 404)
Glance always correctly return 404 but nova delete it even if I'm just a member.
If I don't have any mistake in config this is serious security bug, because anyone can delete any image.
My opinion is that nova call glance internally as admin and it don't do any additional controls of permission.
Quick fix can be just add filter to nova/image/api.py
My nova version: 2015.1.2-2 (Kilo)
Test on Debian GNU/Linux 8.2 (jessie) but I think this bug is general
** Affects: nova (Ubuntu)
Importance: Undecided
Status: New
** Attachment added: "Nova configuration with removed passwords"
https://bugs.launchpad.net/bugs/1521560/+attachment/4527887/+files/nova.conf
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to nova in Ubuntu.
https://bugs.launchpad.net/bugs/1521560
Title:
User can delete any image
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nova/+bug/1521560/+subscriptions
More information about the Ubuntu-server-bugs
mailing list