Hi, First, let me briefly explain the rationale behind this.
Both parameters (SOURCE, FILES in CONTEXT) lets ANY user to access ANY file that the oneadmin UNIX account can access. A simple and direct exploit is to put DISK = [ SOURCE = "/var/lib/one/one.db" ] (or equivalently in CONTEXT) and voila you get user pools and any other data. There are even more dangerous files (e.g. "~/.ssh/id_rsa" for example) So we are thinking of letting a configuration variable set this as there are some environments where OpenNebula is only accessed by trusted admins. In the mean while if you want to activate the attributes you have to install OpenNebula from source and change VirtualMachineTemplate.cc the RESTRICTED_ATTRIBUTES and RS_ATTRS_LENGTH (which should read 5 and not 3) Cheers Ruben On Wed, Jan 18, 2012 at 6:01 PM, Ruben Diez <rd...@cesga.es> wrote: > Hi: > > We just migrate to OpenNebula 3.2 and we have found that some users can't > instantiate their VMs... > > After consult at: > > http://opennebula.org/**documentation:rel3.2:template#**disks_section<http://opennebula.org/documentation:rel3.2:template#disks_section> > and > http://opennebula.org/**documentation:rel3.2:template#**context_section<http://opennebula.org/documentation:rel3.2:template#context_section> > > We know that the use of attributes SOURCE (DISK section) and FILES > (CONTEXT section) of the template file are only allowed to the users in the > "oneadmin" group.... > > Our question is: Is there any other way to allow a user to use these > attributes other that belong the oneadmin group?? We think than add these > users to oneadmin group is not desirable by security reasons.... > > > Regards. > > ______________________________**_________________ > Users mailing list > Users@lists.opennebula.org > http://lists.opennebula.org/**listinfo.cgi/users-opennebula.**org<http://lists.opennebula.org/listinfo.cgi/users-opennebula.org> > -- Dr. Ruben Santiago Montero Associate Professor (Profesor Titular), Complutense University of Madrid URL: http://dsa-research.org/doku.php?id=people:ruben Weblog: http://blog.dsa-research.org/?author=7
_______________________________________________ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org