Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix service account privilege escalation #14729

Merged
merged 1 commit into from Apr 11, 2022
Merged

Fix service account privilege escalation #14729

merged 1 commit into from Apr 11, 2022

Conversation

donatello
Copy link
Member

@donatello donatello commented Apr 11, 2022
edited

Description

  • Ensure that a regular unprivileged user is unable to create service accounts
    for other users/root.

This fix includes tests to check this scenario is not possible.

Motivation and Context

Fixes a security issue where an unprivileged user is able to create service accounts for root or other user and then is able to assume their access policies via the generated credentials.

This is a regression that has existed since version RELEASE.2021-12-09T06-19-41Z.

How to test this PR?

mc admin user add myminio foo foobar123
mc admin policy set myminio readonly user=foo
MC_HOST_foo=http://foo:foobar123@localhost:9000 mc admin user svcacct add foo someOtherUser

The last command above should fail.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Optimization (provides speedup with no functional changes)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

@donatello
Fix service account privilege escalation
f0daa65 
- Ensure that a regular unprivileged user is unable to create service accounts
for other users/root.
@harshavardhana
Copy link
Member

Will open a security tracker for this @donatello

@donatello
Copy link
Member Author

Will open a security tracker for this @donatello

Ack

@minio-trusted
Copy link
Contributor

Mint Automation

Test Result
mint-large-bucket.sh ✔️
mint-fs.sh ✔️
mint-gateway-s3.sh ✔️
mint-erasure.sh ✔️
mint-dist-erasure.sh ✔️
mint-gateway-nas.sh ✔️
mint-compress-encrypt-dist-erasure.sh ✔️
mint-pools.sh ✔️
Deleting image on docker hub
Deleting image locally

vadmeste
vadmeste approved these changes Apr 11, 2022
View reviewed changes
Copy link
Member

@vadmeste vadmeste left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@harshavardhana harshavardhana merged commit 66b14a0 into minio:master Apr 11, 2022
@donatello donatello deleted the fix-svc-acc-priv-escalation branch April 11, 2022 23:06
@GoVulnBot GoVulnBot mentioned this pull request Apr 12, 2022
Closed
vadmeste pushed a commit to vadmeste/minio that referenced this pull request May 5, 2022
@donatello
Fix service account privilege escalation (minio#14729)
96c1cfe 
Ensure that a regular unprivileged user is unable to create service accounts for other users/root.
@bh4t bh4t added the bugfix label Jun 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vadmeste vadmeste vadmeste approved these changes

@harshavardhana harshavardhana harshavardhana approved these changes

@kannappanr kannappanr kannappanr approved these changes

@krisis krisis Awaiting requested review from krisis

Assignees
No one assigned
Labels
bugfix priority: high regression (fixed)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@donatello @harshavardhana @minio-trusted @vadmeste @kannappanr @bh4t