Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1391016

Summary: [User Portal] When creating template in User Portal one can use Custom Properties
Product: [oVirt] ovirt-engine Reporter: Jiri Belka <jbelka>
Component: Frontend.UserPortalAssignee: Tomas Jelinek <tjelinek>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Belka <jbelka>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.0.5.5CC: bugs, tjelinek
Target Milestone: ovirt-4.1.0-betaFlags: rule-engine: ovirt-4.1+
rule-engine: planning_ack+
tjelinek: devel_ack+
pstehlik: testing_ack+
Target Release: 4.1.0.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-01 14:34:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Virt RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jiri Belka 2016-11-02 12:05:29 UTC
Description of problem:

When creating template in User Portal one can use Custom Properties, ie. UserDefinedVMProperties.

This could be serious as if there would be qemucmdline vdsm hook installed on hosts, then the user with TemplateCreator could modify VM's qemu process arguments and so bad things (eg. add another net ifaces, bypass bridges, initialize connections from _inside_ to remote hosts etc. etc...).

UserDefinedVMProperties: qemu_cmdline=^.*$ version: 4.0

Thus this can be a security issue if some conditions are met.

Version-Release number of selected component (if applicable):
ovirt-engine-userportal-4.0.5.4-0.1.el7ev.noarch

How reproducible:
100%

Steps to Reproduce:
1. add an user with TemplateCreator to system and assign him a VM
2. login with this user to User Portal
3. create template

Actual results:
an user could modify custom properties when editing newly create template in user portal

Expected results:
custom properties should be filtered in template editing

Additional info:
maybe this should be available only for real admin roles (icon with sunglasses)

Comment 1 Jiri Belka 2016-11-02 12:34:53 UTC
I managed to modify qemu args successfully and this caused qemu process to connect to my server on Internet, thus access to VM from outside.

Comment 2 Jiri Belka 2017-01-23 16:42:58 UTC
ok, ovirt-engine-userportal-4.1.0.1-0.1.el7.noarch

not visible anymore for for templatecreator->templateowner.