Uploaded image for project: 'Eucalyptus'
  1. Eucalyptus
  2. EUCA-3074

Walrus does not check authorization for some operations

    Details

    • Benefit:
      Medium
    • Security:
      Yes
    • SLA:
      Not Applicable
    • Rank:
      2|hzxghb:
    • Damage Potential:
      9

      Description

      Walrus does not check authorization for the GetBucketLoggingStatus, SetBucketLoggingStatus and SetBucketVersioningStatus operations.

      Walrus authenticates the user but does not verify that the user is permitted to perform the operation on the bucket.

      I've only verified the SetBucketVersioningStatus issue, the others are from code review so may be incorrect (see WalrusManager)

        Gliffy Diagrams

          Attachments

          1.
          Obtain CVE Sub-task Closed Unassigned
           
          2.
          Create ESA Sub-task Closed Unassigned
           

            Activity

            Hide
            zhill Zach Hill added a comment -

            The correct behavior is that only the owner of the bucket should be able to set these properties.

            Show
            zhill Zach Hill added a comment - The correct behavior is that only the owner of the bucket should be able to set these properties.
            Hide
            zhill Zach Hill added a comment -

            This should also be a strong candidate for 3.2.1. It is not a difficult fix or difficult to test. The fix is to add the permissions checks in 3-4 methods and test by verifying that non-bucket-owners cannot perform them but the bucket-owner can.

            Show
            zhill Zach Hill added a comment - This should also be a strong candidate for 3.2.1. It is not a difficult fix or difficult to test. The fix is to add the permissions checks in 3-4 methods and test by verifying that non-bucket-owners cannot perform them but the bucket-owner can.
            Hide
            neil Neil Soman added a comment -

            Committed to team/storage/EUCA-3074. To Vika for review.

            Show
            neil Neil Soman added a comment - Committed to team/storage/ EUCA-3074 . To Vika for review.
            Hide
            viglesias Victor Iglesias added a comment -

            Vika Felmetsger will you be testing this fix?

            Show
            viglesias Victor Iglesias added a comment - Vika Felmetsger will you be testing this fix?
            Hide
            rusvika Vika Felmetsger added a comment -

            Victor Iglesias yes, I'm in the middle of it. I'll let you know if I need any help from QA, but most likely not as the fix is very localized.

            Show
            rusvika Vika Felmetsger added a comment - Victor Iglesias yes, I'm in the middle of it. I'll let you know if I need any help from QA, but most likely not as the fix is very localized.
            Hide
            awithrow Aaron Withrow added a comment -

            3.2.2 has been released, moving this to Resolved.

            Show
            awithrow Aaron Withrow added a comment - 3.2.2 has been released, moving this to Resolved.

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Development