[one-users] Attributes SOURCE (DISK section) and FILES (CONTEXT section) in OpenNebula 3.2
Ruben S. Montero
rubensm at dacya.ucm.es
Wed Jan 18 14:34:28 PST 2012
Hi,
First, let me briefly explain the rationale behind this.
Both parameters (SOURCE, FILES in CONTEXT) lets ANY user to access ANY file
that the oneadmin UNIX account can access. A simple and direct exploit is
to put
DISK = [ SOURCE = "/var/lib/one/one.db" ] (or equivalently in CONTEXT)
and voila you get user pools and any other data. There are even more
dangerous files (e.g. "~/.ssh/id_rsa" for example)
So we are thinking of letting a configuration variable set this as there
are some environments where OpenNebula is only accessed by trusted admins.
In the mean while if you want to activate the attributes you have to
install OpenNebula from source and change VirtualMachineTemplate.cc the
RESTRICTED_ATTRIBUTES and RS_ATTRS_LENGTH (which should read 5 and not 3)
Cheers
Ruben
On Wed, Jan 18, 2012 at 6:01 PM, Ruben Diez <rdiez at cesga.es> wrote:
> Hi:
>
> We just migrate to OpenNebula 3.2 and we have found that some users can't
> instantiate their VMs...
>
> After consult at:
>
> http://opennebula.org/**documentation:rel3.2:template#**disks_section<http://opennebula.org/documentation:rel3.2:template#disks_section>
> and
> http://opennebula.org/**documentation:rel3.2:template#**context_section<http://opennebula.org/documentation:rel3.2:template#context_section>
>
> We know that the use of attributes SOURCE (DISK section) and FILES
> (CONTEXT section) of the template file are only allowed to the users in the
> "oneadmin" group....
>
> Our question is: Is there any other way to allow a user to use these
> attributes other that belong the oneadmin group?? We think than add these
> users to oneadmin group is not desirable by security reasons....
>
>
> Regards.
>
> ______________________________**_________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/**listinfo.cgi/users-opennebula.**org<http://lists.opennebula.org/listinfo.cgi/users-opennebula.org>
>
--
Dr. Ruben Santiago Montero
Associate Professor (Profesor Titular), Complutense University of Madrid
URL: http://dsa-research.org/doku.php?id=people:ruben
Weblog: http://blog.dsa-research.org/?author=7
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20120118/6663a334/attachment-0003.htm>
More information about the Users
mailing list