MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-11-09 05:34:56 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix user privilege escalation bug (#13976)

Browse Source 
The AddUser() API endpoint was accepting a policy field. 
This API is used to update a user's secret key and account 
status, and allows a regular user to update their own secret key. 

The policy update is also applied though does not appear to 
be used by any existing client-side functionality.

This fix changes the accepted request body type and removes 
the ability to apply policy changes as that is possible via the 
policy set API.

NOTE: Changing passwords can be disabled as a workaround
for this issue by adding an explicit "Deny" rule to disable the API
for users.
This commit is contained in:
Aditya Manthramurthy
2021-12-23 09:21:21 -08:00
committed by GitHub
parent 416977436e
commit 5a96cbbeaa
7 changed files with 143 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/signature-v4-utils_test.go
View File

@@ -76,7 +76,7 @@ func TestCheckValid(t *testing.T) {
t.Fatalf("unable create credential, %s", err)
}
globalIAMSys.CreateUser(ctx, ucreds.AccessKey, madmin.UserInfo{
globalIAMSys.CreateUser(ctx, ucreds.AccessKey, madmin.AddOrUpdateUserReq{
SecretKey: ucreds.SecretKey,
Status: madmin.AccountEnabled,
})