[openstack-dev] Lack of quota - security bug or not?

Clark, Robert Graham robert.clark at hp.com
Thu Dec 11 13:30:33 UTC 2014 

On 11/12/2014 13:16, "Thierry Carrez" <thierry at openstack.org> wrote:


>George Shuklin wrote:
>> 
>> 
>> On 12/10/2014 10:34 PM, Jay Pipes wrote:
>>> On 12/10/2014 02:43 PM, George Shuklin wrote:
>>>> I have some small discussion in launchpad: is lack of a quota for
>>>> unprivileged user counted as security bug (or at least as a bug)?
>>>>
>>>> If user can create 100500 objects in database via normal API and ops
>>>> have no way to restrict this, is it OK for Openstack or not?
>>>
>>> That would be a major security bug. Please do file one and we'll get
>>> on it immediately.
>>>
>> 
>> (private bug at that moment)
>>https://bugs.launchpad.net/ossa/+bug/1401170
>> 
>> There is discussion about this. Quote:
>> 
>> Jeremy Stanley (fungi):
>> Traditionally we've not considered this sort of exploit a security
>> vulnerability. The lack of built-in quota for particular kinds of
>> database entries isn't necessarily a design flaw, but even if it
>> can/should be fixed it's likely not going to get addressed in stable
>> backports, is not something for which we would issue a security
>> advisory, and so doesn't need to be kept under secret embargo. Does
>> anyone else disagree?
>> 
>> If anyone have access to OSSA tracker, please say your opinion in that
>>bug.
>
>It also depends a lot on the details. Is there amplification ? Is there
>a cost associated ? I bet most public cloud providers would be fine with
>a user creating and paying for running 100500 instances, and that user
>would certainly end up creating at least 100500 objects in database via
>normal API.
>
>So this is really a per-report call, which is why we usually discuss
>them all separately.
>
>-- 
>Thierry Carrez (ttx)

Most public cloud providers would not be in any way happy with a new
customer spinning up anything like that number of instances. Fraud and
Abuse are major concerns for public cloud providers. Automated checks take
time.

Imagine someone using a stolen but not yet cancelled credit card spinning
up 1000¹s of instances. The card checks out ok when the user signs up but
has been cancelled by the time the billing cycle closes - massive loss to
the cloud provider in at least three ways. Direct lost revenue from that
customer,  the loss of capacity which possibly stopped other customers
bringing business to the platform and finally the likelyhood that the
account was setup for malicious purposes, either internet facing or
against the cloud infrastructure itself.

Please add me to the bug if you¹d like to discuss further.

-Rob

More information about the OpenStack-dev mailing list