[Openstack] [OSSA 2012-011] Compute node filesystem injection/corruption (CVE-2012-3447)

Thierry Carrez thierry at openstack.org
Wed Aug 8 12:17:30 UTC 2012


Eric Windisch wrote:
> Unfortunately, this won't be the end of vulnerabilities coming from this "feature".

Indeed. I would like to see evil file injection die, and be replaced by
cloud-init / config-drive. That's the safest way.

If we can't totally get rid of file injection, I'd like it to be a clear
second-class citizen that you should enable only if you absolutely need it.

The first step towards that shinier future is to have a very solid and
featureful config-drive implementation, which I hope Michael can
complete in time for Folsom. Then maybe we can convert more people to a
view of the world where direct file injection is not useful and should
only be enabled as a last resort.

-- 
Thierry Carrez (ttx)
Release Manager, OpenStack




More information about the Openstack mailing list