OpenStack Compute (nova)

I can associate IP addresses to other users instances

Bug #882004 reported by John O'loughlin
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Invalid
Undecided
Unassigned

Bug Description

Hi,

I'm using ubuntu 10.10 with nova installed from trunk: version 2012.1-dev (2012.1-LOCALBRANCH:LOCALREVISION)

I have created a new user tom, added them to an existing project called project2 and given them sysadmin role in the project.

As tom I can allocated myself an address (in this case 131.227.75.52)

root@cloud-cc:~/tom# euca-describe-addresses
ADDRESS 131.227.75.50 None (project1)
ADDRESS 131.227.75.51 i-00000243 (project2)
ADDRESS 131.227.75.52 i-00000250 (project2)

As you can see its in project2

But I can now associate it to an instance started by another user in another project:

euca-associate-address -i i-00000250 131.227.75.52

INSTANCE i-00000250 ami-00000003 131.227.75.52 10.0.0.15 running None (project1, compute03) 1 m1.small 2011-10-26T12:39:20Z nova aki-00000001 ari-00000002

I have also noticed that just creating a user and then adding to a project (without adding any roles) allows them to describe all images (euca-describe-images) and start instances from them.

Regards John

Revision history for this message
Mark McLoughlin (markmc) wrote :

Needs to be assessed by vuln-mgmt

security vulnerability: no → yes
visibility: public → private
Revision history for this message
Thierry Carrez (ttx) wrote :

Rule #2: Once public, always public.

visibility: private → public
Revision history for this message
Jay Pipes (jaypipes) wrote :

Actually, Rule #2 is don't talk about Fight Club, Thierry.

Revision history for this message
Thierry Carrez (ttx) wrote :

This definitely has security consequences and needs to be fixed ASAP.
Anyone with a patch ? Does this affect all Nova versions ?

Changed in nova:
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Brian Waldon (bcwaldon) wrote :

Are you sure you 'tom' doesn't have elevated privileges? I couldn't reproduce this...

Revision history for this message
Chris Behrens (cbehrens) wrote :

There was another very similar bug ID that I fixed immediately before the diablo release. This bug is so old that it could have been fixed back then by my patch for the other bug. Or someone else silently patched it or patched it by accident :)

Revision history for this message
Thierry Carrez (ttx) wrote :

The original poster got the issue on a early Essex build, so probably not fixed in Diablo...
Chris: any idea of the bug ID so that we can doublecheck ?

Setting to Incomplete until someone can reproduce it.

Changed in nova:
importance: High → Undecided
status: Confirmed → Incomplete
Revision history for this message
Russell Bryant (russellb) wrote :

It looks like this is the related bug: https://bugs.launchpad.net/nova/+bug/855115

Related commits:

commit d1ebc892ee7606bcafd10f14a4c3364d1805232e
Merge: e2596d3 4d0bb87
Author: Chris Behrens <email address hidden>
Date: Wed Sep 21 21:51:40 2011 +0000

    Fix lp:855115 -- Issue with disassociating floating ips.

commit 4d0bb8730a076b44d0a37fd0770c743b834e5751
Author: Chris Behrens <email address hidden>
Date: Wed Sep 21 08:47:33 2011 +0000

    update floating ips tests

commit aff43d206a679c1b81904a72cb2e4fb6dadbd515
Author: Chris Behrens <email address hidden>
Date: Wed Sep 21 08:37:54 2011 +0000

    floating ip could have no project and we should allow access

commit f752e712b7710b921f332c5c8459a29e064e8681
Author: Chris Behrens <email address hidden>
Date: Wed Sep 21 08:27:48 2011 +0000

    actions on floating IPs in other projects for non-admins should not be allowed.

commit 778a1d162bbb8032e319d2bc2ae99c20339e1a47
Author: Chris Behrens <email address hidden>
Date: Wed Sep 21 06:40:52 2011 +0000

    floating_ip_get_by_address should check user's project_id

Revision history for this message
Thierry Carrez (ttx) wrote :

Closing as Invalid as we can't reproduce it, it's probably been fixed.

Changed in nova:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.