Comment 32 for bug 1546507
Revision history for this message
| Mike Fedosin (mfedosin) wrote Re: Regular user can delete any image file | #32 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
2eb648a
demo site
(Get the code!)
Hi! This fix is for stable branches only, because in Newton we will implement it in a right way and finally separate locations in two groups: those which were created by user and those which were created by Glance itself. In first case Glance won't delete files if user deletes image.
Yes, we assume that glance location always contains image identifier - it's not the best approach, but it's lesser of all evils. Frankly speaking in my opinion allowing users to set custom locations is very insecure thing - Glance works with admin privileges and it can read or delete any data in storage. But in my solution if user (not admin) really needs to upload any file directly without Glance and set the location to his image, he is able to do it.
He should perform next steps: 1. Create image instance in DB and get its ID. 2. Then upload file directly to store with the same name as the ID. 3. And finally set custom location to his image.
And I'm going to say it again - other workflows are really insecure and must be rejected, setting custom locations for any existing files may lead to the fact that malicious user may read or delete some sensitive data, and it's not necessary to be an image file.