Lock and rights do not affect on scheduled actions. security bug

slnt_opp · April 6, 2020, 10:02am

Even if vm is locked, or owner currently has no rights to manage/admin or even use(by lock) the VM, user can schedule action, e.g. resume, and turn his vm on.

Steps:

Lock VM
login as user
schedule action, like resume
wait
vm is going to be resumed
Expected: nothing should happen or/and action should have message, like cannot resume vm, because it’s locked/user has no rights [manage]

ahuertas · April 6, 2020, 3:57pm

Hello @slnt_opp

Could you please open an issue in our GitHub with the detailed information?

Thanks!

Best,
Álex

pczerny · April 6, 2020, 4:56pm

Hello @slnt_opp,
which opennebula version do you use? (On command line you can check it with ‘oned --version’)

I just tested it with 5.10.0 and 5.10.4 and it works correctly, the schedule action fails.

slnt_opp · April 7, 2020, 7:52am

We’re using 5.8.5. Unfortunately i can’t update to 5.10 now

slnt_opp · April 7, 2020, 8:14am

Done

Topic		Replies	Views
VM scheduler no longer works after database recovery General	4	456	June 14, 2022
Java API Scheduled Actions Development	2	545	September 12, 2016
Quotas for active vms Community Support	1	406	November 24, 2017
Scheduling and reservation system? Development	1	626	August 2, 2016
Failed to get shared "write" lock Is another process using the image? Community Support	2	4229	March 23, 2021

Lock and rights do not affect on scheduled actions. security bug

Related topics