Skip to content

Commit 66b14a0

Browse files
authored
Fix service account privilege escalation (#14729)
Ensure that a regular unprivileged user is unable to create service accounts for other users/root.
1 parent 153a612 commit 66b14a0

File tree

3 files changed

+12
-1
lines changed

3 files changed

+12
-1
lines changed

Diff for: cmd/admin-handlers-users.go

-1
Original file line numberDiff line numberDiff line change
@@ -605,7 +605,6 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
605605
ConditionValues: getConditionValues(r, "", cred.AccessKey, claims),
606606
IsOwner: owner,
607607
Claims: claims,
608-
DenyOnly: true,
609608
}) {
610609
writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
611610
return

Diff for: cmd/admin-handlers-users_test.go

+3
Original file line numberDiff line numberDiff line change
@@ -890,6 +890,9 @@ func (s *TestSuiteIAM) TestServiceAccountOpsByUser(c *check) {
890890

891891
// 5. Check that service account can be deleted.
892892
c.assertSvcAccDeletion(ctx, s, userAdmClient, accessKey, bucket)
893+
894+
// 6. Check that service account cannot be created for some other user.
895+
c.mustNotCreateSvcAccount(ctx, globalActiveCred.AccessKey, userAdmClient)
893896
}
894897

895898
func (s *TestSuiteIAM) TestServiceAccountOpsByAdmin(c *check) {

Diff for: cmd/sts-handlers_test.go

+9
Original file line numberDiff line numberDiff line change
@@ -625,6 +625,9 @@ func (s *TestSuiteIAM) TestLDAPSTSServiceAccounts(c *check) {
625625

626626
// 5. Check that service account can be deleted.
627627
c.assertSvcAccDeletion(ctx, s, userAdmClient, value.AccessKeyID, bucket)
628+
629+
// 6. Check that service account cannot be created for some other user.
630+
c.mustNotCreateSvcAccount(ctx, globalActiveCred.AccessKey, userAdmClient)
628631
}
629632

630633
// In this test, the parent users gets their permissions from a group, rather
@@ -725,6 +728,9 @@ func (s *TestSuiteIAM) TestLDAPSTSServiceAccountsWithGroups(c *check) {
725728

726729
// 5. Check that service account can be deleted.
727730
c.assertSvcAccDeletion(ctx, s, userAdmClient, value.AccessKeyID, bucket)
731+
732+
// 6. Check that service account cannot be created for some other user.
733+
c.mustNotCreateSvcAccount(ctx, globalActiveCred.AccessKey, userAdmClient)
728734
}
729735

730736
func (s *TestSuiteIAM) TestOpenIDSTS(c *check) {
@@ -979,6 +985,9 @@ func (s *TestSuiteIAM) TestOpenIDServiceAcc(c *check) {
979985

980986
// 5. Check that service account can be deleted.
981987
c.assertSvcAccDeletion(ctx, s, userAdmClient, value.AccessKeyID, bucket)
988+
989+
// 6. Check that service account cannot be created for some other user.
990+
c.mustNotCreateSvcAccount(ctx, globalActiveCred.AccessKey, userAdmClient)
982991
}
983992

984993
var testAppParams = OpenIDClientAppParams{

0 commit comments

Comments
 (0)