Hello,
there seem to be several files named build.sh in the Sunstone package (opennebula-sunstone-6.8.0-1.el9.noarch in my case) in the /usr/lib/one/sunstone/public directory. This means that they are accessible from the public Sunstone web. I don’t think this is a security hole (unless combined with a misconfigured HTTP server), but still I think there should be only the strictly necessary files present in the public HTTP area of Sunstone.
Could the packaging scripts be modified so that these service files are not packaged into a publicly accessible directory?
Thanks!
-Yenya