one: Users can not update VM config
Description When a regular user tries to update the VM’s config (for example, a context var), it gets the following error:
one.vm.updateconf result FAILURE [one.vm.updateconf] User [2] : Template includes a restricted attribute DISK.
The specific setting from oned.conf creating the issue is:
VM_RESTRICTED_ATTR = "DISK/ORIGINAL_SIZE"
The weird part is that this setting exists also in older versions (for example, 5.10.5), but this issue is non existent on that version.
To Reproduce Create a user (not belonging to oneadmin group), allow this user to use a specific vm (use permission, change owner, whatever). Try to update the VM’s context.
Details
- Affected components: core
- Version: 5.12.3
Additional context Add any other context about the problem here.
Progress Status
- Branch created
- Code committed to development branch
- Testing - QA
- Documentation
- Release notes - resolved issues, compatibility, known issues
- Code committed to upstream release/hotfix branches
- Documentation committed to upstream release/hotfix branches
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 19 (18 by maintainers)
Commits related to this issue
- B #5096: delete restricted attributes (#973) Signed-off-by: Jorge Lobo <jlobo@opennebula.io> — committed to OpenNebula/one by jloboescalona2 3 years ago
- Revert "B #5096: delete restricted attributes (#973)" This reverts commit fa0857967d172ecaf513490df97f47296dd39ede. — committed to OpenNebula/one by tinova 3 years ago
- B #5096: fix bug updating VM conf — committed to OpenNebula/one by deleted user 3 years ago
- B #5096: fix minor bug with CPU_MODEL (#979) — committed to OpenNebula/one by deleted user 3 years ago
I also just stumbled upon this. Is there any workaround? Removing
DISK/ORIGINAL_SIZEfrom theVM_RESTRICTED_ATTRlist does not seem to be a good idea as this value directly ends in shell scripts and would possibly allow RCE, correct?