[Openstack-security] [Bug 1493448] Re: All operations are perfomed with admin priveleges when 'use_user_token' is False
Jeremy Stanley
fungi at yuggoth.org
Thu Oct 15 18:00:32 UTC 2015
I've switched this to a normal public bug with a security tag.
** Information type changed from Private Security to Public
** Tags added: security
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1493448
Title:
All operations are perfomed with admin priveleges when
'use_user_token' is False
Status in Glance:
Triaged
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack Security Notes:
New
Bug description:
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed (private)
security vulnerabilities before their coordinated publication by the
OpenStack Vulnerability Management Team in the form of an official
OpenStack Security Advisory. This includes discussion of the bug or
associated fixes in public forums such as mailing lists, code review
systems and bug trackers. Please also avoid private disclosure to
other individuals not already approved for access to this information,
and provide this same reminder to those who are made aware of the
issue prior to publication. All discussion should remain confined to
this private bug report, and any proposed fixes should be added to the
bug as attachments.
In glance-api.conf we have a param called 'use_user_token' which is
enabled by default. It was introduced to allow for reauthentication
when tokens expire and prevents requests from silently failing.
https://review.openstack.org/#/c/29967/
Unfortunately disabling this parameter leads to security issues and
allows a regular user to perform any operation with admin rights.
Steps to reproduce on devstack:
1. Change /etc/glance/glance-api.conf parameters and restart glance-api:
# Pass the user's token through for API requests to the registry.
# Default: True
use_user_token = False
# If 'use_user_token' is not in effect then admin credentials
# can be specified. Requests to the registry on behalf of
# the API will use these credentials.
# Admin user name
admin_user = glance
# Admin password
admin_password = nova
# Admin tenant name
admin_tenant_name = service
# Keystone endpoint
auth_url = http://127.0.0.1:5000/v2.0
(for v2 api it's required to enable registry service, too: data_api =
glance.db.registry.api)
2. Create a private image with admin user:
source openrc admin admin
glance --os-image-api-version 1 image-create --name private --is-public False --disk-format qcow2 --container-format bare --file /etc/fstab
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | e533283e6aac072533d1d091a7d2e413 |
| container_format | bare |
| created_at | 2015-09-01T22:17:25.000000 |
| deleted | False |
| deleted_at | None |
| disk_format | qcow2 |
| id | e0d0bf2f-9f81-4500-ae50-7a1a0994e2f0 |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | private |
| owner | e1cec705e33b4dfaaece11b623f3c680 |
| protected | False |
| size | 616 |
| status | active |
| updated_at | 2015-09-01T22:17:27.000000 |
| virtual_size | None |
+------------------+--------------------------------------+
3. Check the image list with admin user:
glance --os-image-api-version 1 image-list
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| 4a1703e7-72d1-4fce-8b5c-5bb1ef2a5047 | cirros-0.3.4-x86_64-uec | ami | ami | 25165824 | active |
| c513f951-e1b0-4acd-8980-ae932f073039 | cirros-0.3.4-x86_64-uec-kernel | aki | aki | 4979632 | active |
| de99e4b9-0491-4990-8b93-299377bf2c95 | cirros-0.3.4-x86_64-uec-ramdisk | ari | ari | 3740163 | active |
| e0d0bf2f-9f81-4500-ae50-7a1a0994e2f0 | private | qcow2 | bare | 616 | active |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
4. Enable demo user and get the image list:
source openrc demo demo
glance --os-image-api-version 1 image-list
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| 4a1703e7-72d1-4fce-8b5c-5bb1ef2a5047 | cirros-0.3.4-x86_64-uec | ami | ami | 25165824 | active |
| c513f951-e1b0-4acd-8980-ae932f073039 | cirros-0.3.4-x86_64-uec-kernel | aki | aki | 4979632 | active |
| de99e4b9-0491-4990-8b93-299377bf2c95 | cirros-0.3.4-x86_64-uec-ramdisk | ari | ari | 3740163 | active |
| e0d0bf2f-9f81-4500-ae50-7a1a0994e2f0 | private | qcow2 | bare | 616 | active |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
5. Try to get access to admin's private image with demo user:
glance --os-image-api-version 1 image-show private
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | e533283e6aac072533d1d091a7d2e413 |
| container_format | bare |
| created_at | 2015-09-01T22:17:25.000000 |
| deleted | False |
| disk_format | qcow2 |
| id | e0d0bf2f-9f81-4500-ae50-7a1a0994e2f0 |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | private |
| owner | e1cec705e33b4dfaaece11b623f3c680 |
| protected | False |
| size | 616 |
| status | active |
| updated_at | 2015-09-01T22:17:27.000000 |
+------------------+--------------------------------------+
The same happens when demo user wants to create/update/delete any
image. v2 with enabled registry backend is affected too.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1493448/+subscriptions
More information about the Openstack-security
mailing list