[openstack-dev] Lack of quota - security bug or not?

George Shuklin george.shuklin at gmail.com
Thu Dec 11 11:51:25 UTC 2014

On 12/10/2014 10:34 PM, Jay Pipes wrote:
> On 12/10/2014 02:43 PM, George Shuklin wrote:
>> I have some small discussion in launchpad: is lack of a quota for
>> unprivileged user counted as security bug (or at least as a bug)?
>> If user can create 100500 objects in database via normal API and ops
>> have no way to restrict this, is it OK for Openstack or not?
> That would be a major security bug. Please do file one and we'll get 
> on it immediately.

(private bug at that moment) https://bugs.launchpad.net/ossa/+bug/1401170

There is discussion about this. Quote:

Jeremy Stanley (fungi):
Traditionally we've not considered this sort of exploit a security 
vulnerability. The lack of built-in quota for particular kinds of 
database entries isn't necessarily a design flaw, but even if it 
can/should be fixed it's likely not going to get addressed in stable 
backports, is not something for which we would issue a security 
advisory, and so doesn't need to be kept under secret embargo. Does 
anyone else disagree?

If anyone have access to OSSA tracker, please say your opinion in that bug.

More information about the OpenStack-dev mailing list