Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issue: sometimes any s3 users have access to any buckets #3084

Closed
LuckyFrost opened this issue May 20, 2022 · 1 comment
Closed

Security issue: sometimes any s3 users have access to any buckets #3084

LuckyFrost opened this issue May 20, 2022 · 1 comment

Comments

@LuckyFrost
Copy link

LuckyFrost commented May 20, 2022
edited
Loading

Describe the bug
Any s3 user has access to any buckets regardless of restrictions

System Setup

  • List the command line to start "weed master", "weed volume", "weed filer", "weed s3", "weed mount".
    /opt/weed filer -s3
  • output of weed version
    version 8000GB 3.04 9ff0d9900288a2dc92d3a82256fb3f359be20d3b linux amd64
  • if using filer, show the content of filer.toml
[cassandra]
enabled = true
keyspace = "seaweedfs"
hosts = [
    "localhost:9042",
]
username = ""
password = ""
superLargeDirectories = []
localDC = ""
connection_timeout_millisecond = 600

How to reproduce:
s3.configure -access_key=123 -secret_key=123 -buckets=test_bucket1 -user=123 -actions=Read,Write,List,Tagging -apply
s3.configure output:

      "name": "123",
      "credentials": [
        {
          "accessKey": "123",
          "secretKey": "123"
        }
      ],
      "actions": [
        "Read:test_bucket1",
        "Write:test_bucket1",
        "List:test_bucket1",
        "Tagging:test_bucket1"
      ]
    }

Now we use /usr/local/bin/aws configure with this credentials
Then

/usr/local/bin/aws --endpoint-url http://localhost:8333 s3 cp /tmp/2 s3://test_bucket1/2
upload: ../../tmp/2 to s3://test_bucket1/2
  • that's ok
/usr/local/bin/aws --endpoint-url http://localhost:8333 s3 cp /tmp/2 s3://test_bucket2/test2
upload: ../../tmp/2 to s3://test_bucket2/test2

In shell:
> fs.ls /buckets/test_bucket2
test2
  • thats not ok (Before this, such a bucket did not exist, and there are no permissions to access this bucket)

Expected behavior
upload failed: ../../tmp/2 to s3://test_bucket2/2 An error occurred (AccessDenied) when calling the PutObject operation: Access Denied.

Additional context
At the moment, I don't know how to reliably reproduce the problem: this is the second time in a week that policies spontaneously stop working and all users have access to everything. Restarting filer temporarily solves this problem. Also, I don't see any errors regarding iam in the filer output.
@chrislusf
Copy link
Collaborator

Added a potential fix. Please re-open if still happens.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chrislusf @LuckyFrost