Fix .admin get_user privileges.
Bug #747618 reported by
gholt
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Object Storage (swift) |
Fix Released
|
Critical
|
gholt | ||
Bug Description
In swauth user acting as .admin for some account can retrieve data for any user that belong to that account. If it happens that reseller admin is registered in the given account, malicious admin can obtain credentials of .reseller_admin via GET v2/account/
It looks like common/
1) .super_admin and .reseller_admin can get info for any user
2) .admin can get info for all users that are not .reseller_admins
Does it make sense?
Related branches
lp:~gholt/swift/lp747618
- John Dickinson: Approve
-
Diff: 120 lines (+86/-6)2 files modifiedswift/common/middleware/swauth.py (+6/-0)
test/unit/common/middleware/test_swauth.py (+80/-6)
lp:~gholt/swift/lp747618_1_2
- Swift Core security contacts: Pending requested
-
Diff: 121 lines (+87/-7)2 files modifiedswift/common/middleware/swauth.py (+6/-0)
test/unit/common/middleware/test_swauth.py (+81/-7)
| Changed in swift: | |
| assignee: | nobody → gholt (gholt) |
| importance: | Undecided → Critical |
| status: | New → In Progress |
Revision history for this message
| gholt (gholt) wrote | #1 |
| Changed in swift: | |
| status: | In Progress → Fix Committed |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
This changed a bit from the original description:
Now:
.super_admin may get any user info
.reseller_admin may not get .reseller_admin info, but can get .admin and regular user info
.admin may not get .reseller_admin or .admin info, but can get regular user info
users can't get any user info