search

Kledsky / s3fuse

Automatically exported from code.google.com/p/s3fuse
Other
0 stars 0 forks source link

s3fuse copies OAuth token directly to google storage bucket upon connecting #8

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. grant s3fuse OAuth access to google storage via instructions in readme.txt
2. add credentials, including the location of the local token file downloaded 
in step 1 above, to s3fuse.conf
3. mount the bucket with s3fuse command:
s3fuse -o config=~/.s3fuse/s3fuse.conf /local/mount/point
4. open the local mount point in a file explorer (dolphin)

At this point, I see a copying dialog copying the OAuth token, though it's 
stalled out at 0B. I also see the file in the bucket (size 0B) via Google's 
Cloud Console webpage.

s3fuse v0.14
netrunner 13.06rc2
kernel 3.8.0.25

My understanding here is limited but this seems to be a security vulnerability 
and unnecessary in the first place.

Original issue reported on code.google.com by jayarmst...@gmail.com on 4 Jul 2013 at 10:23

GoogleCodeExporter commented 9 years ago 
This is bizarre -- s3fuse itself won't copy the OAuth token to your bucket, and 
it doesn't use dialog windows of any kind. Are you storing your token file in 
~/.s3fuse/?

Original comment by tar...@bedeir.com on 5 Jul 2013 at 12:09

GoogleCodeExporter commented 9 years ago 
Yes, the token is in that dir. It was the regular KDE copy dialog that triggers 
anytime you copy something through the GUI. I can't think of any way I would 
have triggered that but it's possible. 

I deleted the file from the bucket and continued testing; everything seemed to 
work as expected after that.

Original comment by jayarmst...@gmail.com on 7 Jul 2013 at 9:41

GoogleCodeExporter commented 9 years ago 
Did it only happen that one time, or has it happened again since? You could try 
enabling debug output in s3fuse, but that's not going to tell you who's 
initiating the copy.

Original comment by tar...@bedeir.com on 9 Jul 2013 at 7:50

GoogleCodeExporter commented 9 years ago 
Just that one time. I haven't been able to reproduce it and since it must've 
been triggered somewhere in my desktop GUI (afaik), it seems unlikely that it 
was related to s3fuse.

My best guess is that an errant clipboard paste was triggered with a 
middle-button mouse click, which I never use intentionally. Also, to 
reemphasize, it looked like the file never transferred the contents, as both 
the copy progress and Google's cloud console showed 0B progress and size, 
respectively.

Original comment by jayarmst...@gmail.com on 14 Jul 2013 at 2:21

GoogleCodeExporter commented 9 years ago 
That certainly makes sense. I'm going to close this issue, but if it happens 
again we can investigate further.

Original comment by tar...@bedeir.com on 14 Jul 2013 at 9:15