Fix service account privilege escalation (#14729)

Ensure that a regular unprivileged user is unable to create service accounts for other users/root.
2025-11-09 13:39:46 -05:00 · 2022-04-11 15:30:28 -07:00
parent 153a612253
commit 66b14a0d32
3 changed files with 12 additions and 1 deletions
--- a/cmd/admin-handlers-users.go
+++ b/cmd/admin-handlers-users.go
@@ -605,7 +605,6 @@ func (a adminAPIHandlers) AddServiceAccount(w http.ResponseWriter, r *http.Reque
 			ConditionValues: getConditionValues(r, "", cred.AccessKey, claims),
 			IsOwner:         owner,
 			Claims:          claims,
-			DenyOnly:        true,
 		}) {
 			writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(ErrAccessDenied), r.URL)
 			return