cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-3030) Object_Store_Refactor - Download template from S3 should not set template to public-readable.
Date Tue, 18 Jun 2013 16:46:24 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-3030?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13686911#comment-13686911
] 

ASF subversion and git services commented on CLOUDSTACK-3030:
-------------------------------------------------------------

Commit 1eb39665bd802577f7d925c9703fcd0549996329 in branch refs/heads/object_store from [~minchen07]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=1eb3966 ]

CLOUDSTACK-3030: Object_Store_Refactor - Download template from S3
should not set template to public-readable.
                
> Object_Store_Refactor - Download template from S3 should not set template to public-readable.
> ---------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-3030
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3030
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Template
>         Environment: latest object_store branch on fedora 17 
> devcloud on same machine 
> Cloudian (for S3 services) on separate machine. (expect similar result with other S3
object stores).
>            Reporter: Thomas O'Dowd
>            Assignee: Min Chen
>
> This is a security issue in my opinion.
> When you upload a template to S3 secondary storage and then try to download it, Cloudstack
changes the permission on the S3 object to the canned acl "public-read" and then displays
the url in a popup which the user can click on to download the template. 
> Using "public-read" is bad because it means that anyone who knows the S3 object name
can now download the template. Instead of using using the canned-acl  "public-read", I recommend
using "Query String Request Authentication Alternative" which is described at the following
url: http://docs.aws.amazon.com/AmazonS3/2006-03-01/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth
> This allows Cloudstack to generate a unique short lived url for the user to download
the template while keeping the template private in the S3 object store.
> Steps:
> 1. setup S3 object storage (can be amazon) 
> 2. Add S3 as secondary storage in Cloudstack.
> 3. Upload a new template (I uploaded "tinyLinux.vhd.gz" by giving a url on my local network
where I had it hosted)
> 4. Try to download the template.
> When you download the gui, you can check the ACL of the template object and see that
it can be downloaded by anyone. If you check the XML of the response you should find the following
grant.
> ====== Partial XML showing S3 object has public read access =====
> <Grant>
>   <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
>     <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
>   </Grantee><Permission>READ</Permission>
> </Grant>
> ====== end of XML showing S3 object has public read access =====
> The canned-acl "public-read" is applied to the template in a separate operation when
you click to download the template using a PUT Object ACL request.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message