Comment 12 for bug 1546507
Revision history for this message
| Mike Fedosin (mfedosin) wrote Re: Regular user can delete any image file | #12 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
513534c
demo site
(Get the code!)
Thanks for your response Flavio!
"As Stuart mentioned, exploiting this security issue requires some non default config options to be set." It's not correct in common case, because for Ceph you don't need to know direct_url - you can build it as "rbd://{image_id}". So there is no possibility to avoid this bug when v1 is enabled.
I created a fix for that (my god... it's 5AM here) and it works for me. What can you say about this solution?