djwfyi
commented
7 months ago Security advisory notice: https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4
Open djwfyi opened 7 months ago
djwfyi
commented
7 months ago Security advisory notice: https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4
djwfyi
commented
7 months ago Fix is in Server release RELEASE.2024-01-31T20-20-33Z
ravindk89
commented
7 months ago @donatello can you provide some color on the above?
Looking at https://github.com/minio/minio/pull/18928/files#diff-ef268fe29d8a37a689fc4720dcb9feb441bb3076def2ed405c717ab586d6baa2R790-R791 I can see we're looking for a specific policy.
We do have https://min.io/docs/minio/linux/administration/identity-access-management/policy-based-access-control.html#policy-action.admin-UpdateServiceAccount but that would be covered in admin:* permissions. So just checking for that wouldn't necessarily close this bug off, right?
Or did we add a new policy action UpdateServiceAccountAdminAction that exists outside of the s3:* and admin:* buckets? Which would imply this flag would now be required for root + all other users before you could modify service accounts?
Some detail would help here for us to document.
ravindk89
commented
6 months ago ping @donatello on the above
https://github.com/minio/minio/pull/18928 fixes a security vulnerability that would allow for service accounts to use permission escalation.
Check docs for any changes that might need to be made:
admin:*on https://min.io/docs/minio/linux/administration/identity-access-management/policy-based-access-control.html#policy-action.admin, that such may allow a user to edit their own permissions.UpdateServiceAccountAdminActionvsadmin.UpdateServiceAccountwe doc. Are these the same? where does the first come into play? Is it a special flag that got added? If so, when?