docs icon indicating copy to clipboard operation
docs copied to clipboard
verified publisher icon minio

Check docs for fixed security vulnerability

Open djwfyi opened this issue 1 year ago • 4 comments

https://github.com/minio/minio/pull/18928 fixes a security vulnerability that would allow for service accounts to use permission escalation.

Check docs for any changes that might need to be made:

  • [ ] Warning about admin:* on https://min.io/docs/minio/linux/administration/identity-access-management/policy-based-access-control.html#policy-action.admin, that such may allow a user to edit their own permissions.
  • [ ] check for the UpdateServiceAccountAdminAction vs admin.UpdateServiceAccount we doc. Are these the same? where does the first come into play? Is it a special flag that got added? If so, when?

djwfyi avatar Feb 05 '24 21:02 djwfyi

Security advisory notice: https://github.com/minio/minio/security/advisories/GHSA-xx8w-mq23-29g4

djwfyi avatar Feb 05 '24 21:02 djwfyi

Fix is in Server release RELEASE.2024-01-31T20-20-33Z

djwfyi avatar Feb 05 '24 21:02 djwfyi

@donatello can you provide some color on the above?

Looking at https://github.com/minio/minio/pull/18928/files#diff-ef268fe29d8a37a689fc4720dcb9feb441bb3076def2ed405c717ab586d6baa2R790-R791 I can see we're looking for a specific policy.

We do have https://min.io/docs/minio/linux/administration/identity-access-management/policy-based-access-control.html#policy-action.admin-UpdateServiceAccount but that would be covered in admin:* permissions. So just checking for that wouldn't necessarily close this bug off, right?

Or did we add a new policy action UpdateServiceAccountAdminAction that exists outside of the s3:* and admin:* buckets? Which would imply this flag would now be required for root + all other users before you could modify service accounts?

Some detail would help here for us to document.

ravindk89 avatar Feb 05 '24 21:02 ravindk89

ping @donatello on the above

ravindk89 avatar Feb 21 '24 18:02 ravindk89