MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-06 20:33:07 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix user privilege escalation bug (#13976)

Browse Source 
The AddUser() API endpoint was accepting a policy field. 
This API is used to update a user's secret key and account 
status, and allows a regular user to update their own secret key. 

The policy update is also applied though does not appear to 
be used by any existing client-side functionality.

This fix changes the accepted request body type and removes 
the ability to apply policy changes as that is possible via the 
policy set API.

NOTE: Changing passwords can be disabled as a workaround
for this issue by adding an explicit "Deny" rule to disable the API
for users.
This commit is contained in:
Aditya Manthramurthy
2021-12-23 09:21:21 -08:00
committed by GitHub
parent 416977436e
commit 5a96cbbeaa
7 changed files with 143 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
cmd/iam.go
View File

@@ -954,7 +954,7 @@ func (sys *IAMSys) DeleteServiceAccount(ctx context.Context, accessKey string, n
// CreateUser - create new user credentials and policy, if user already exists
// they shall be rewritten with new inputs.
func (sys *IAMSys) CreateUser(ctx context.Context, accessKey string, uinfo madmin.UserInfo) error {
func (sys *IAMSys) CreateUser(ctx context.Context, accessKey string, ureq madmin.AddOrUpdateUserReq) error {
if !sys.Initialized() {
return errServerNotInitialized
}
@@ -967,11 +967,11 @@ func (sys *IAMSys) CreateUser(ctx context.Context, accessKey string, uinfo madmi
return auth.ErrInvalidAccessKeyLength
}
if !auth.IsSecretKeyValid(uinfo.SecretKey) {
if !auth.IsSecretKeyValid(ureq.SecretKey) {
return auth.ErrInvalidSecretKeyLength
}
err := sys.store.AddUser(ctx, accessKey, uinfo)
err := sys.store.AddUser(ctx, accessKey, ureq)
if err != nil {
return err
}