[openstack-dev] Lack of quota - security bug or not?

Thierry Carrez thierry at openstack.org
Thu Dec 11 13:16:00 UTC 2014


George Shuklin wrote:
> 
> 
> On 12/10/2014 10:34 PM, Jay Pipes wrote:
>> On 12/10/2014 02:43 PM, George Shuklin wrote:
>>> I have some small discussion in launchpad: is lack of a quota for
>>> unprivileged user counted as security bug (or at least as a bug)?
>>>
>>> If user can create 100500 objects in database via normal API and ops
>>> have no way to restrict this, is it OK for Openstack or not?
>>
>> That would be a major security bug. Please do file one and we'll get
>> on it immediately.
>>
> 
> (private bug at that moment) https://bugs.launchpad.net/ossa/+bug/1401170
> 
> There is discussion about this. Quote:
> 
> Jeremy Stanley (fungi):
> Traditionally we've not considered this sort of exploit a security
> vulnerability. The lack of built-in quota for particular kinds of
> database entries isn't necessarily a design flaw, but even if it
> can/should be fixed it's likely not going to get addressed in stable
> backports, is not something for which we would issue a security
> advisory, and so doesn't need to be kept under secret embargo. Does
> anyone else disagree?
> 
> If anyone have access to OSSA tracker, please say your opinion in that bug.

It also depends a lot on the details. Is there amplification ? Is there
a cost associated ? I bet most public cloud providers would be fine with
a user creating and paying for running 100500 instances, and that user
would certainly end up creating at least 100500 objects in database via
normal API.

So this is really a per-report call, which is why we usually discuss
them all separately.

-- 
Thierry Carrez (ttx)



More information about the OpenStack-dev mailing list