Description of problem: When creating template in User Portal one can use Custom Properties, ie. UserDefinedVMProperties. This could be serious as if there would be qemucmdline vdsm hook installed on hosts, then the user with TemplateCreator could modify VM's qemu process arguments and so bad things (eg. add another net ifaces, bypass bridges, initialize connections from _inside_ to remote hosts etc. etc...). UserDefinedVMProperties: qemu_cmdline=^.*$ version: 4.0 Thus this can be a security issue if some conditions are met. Version-Release number of selected component (if applicable): ovirt-engine-userportal-4.0.5.4-0.1.el7ev.noarch How reproducible: 100% Steps to Reproduce: 1. add an user with TemplateCreator to system and assign him a VM 2. login with this user to User Portal 3. create template Actual results: an user could modify custom properties when editing newly create template in user portal Expected results: custom properties should be filtered in template editing Additional info: maybe this should be available only for real admin roles (icon with sunglasses)
I managed to modify qemu args successfully and this caused qemu process to connect to my server on Internet, thus access to VM from outside.
ok, ovirt-engine-userportal-4.1.0.1-0.1.el7.noarch not visible anymore for for templatecreator->templateowner.