[openstack-dev] Lack of quota - security bug or not?
George Shuklin
george.shuklin at gmail.com
Thu Dec 11 11:51:25 UTC 2014
On 12/10/2014 10:34 PM, Jay Pipes wrote:
> On 12/10/2014 02:43 PM, George Shuklin wrote:
>> I have some small discussion in launchpad: is lack of a quota for
>> unprivileged user counted as security bug (or at least as a bug)?
>>
>> If user can create 100500 objects in database via normal API and ops
>> have no way to restrict this, is it OK for Openstack or not?
>
> That would be a major security bug. Please do file one and we'll get
> on it immediately.
>
(private bug at that moment) https://bugs.launchpad.net/ossa/+bug/1401170
There is discussion about this. Quote:
Jeremy Stanley (fungi):
Traditionally we've not considered this sort of exploit a security
vulnerability. The lack of built-in quota for particular kinds of
database entries isn't necessarily a design flaw, but even if it
can/should be fixed it's likely not going to get addressed in stable
backports, is not something for which we would issue a security
advisory, and so doesn't need to be kept under secret embargo. Does
anyone else disagree?
If anyone have access to OSSA tracker, please say your opinion in that bug.
More information about the OpenStack-dev
mailing list