[jira] [Created] (CLOUDSTACK-3030) Object_Store_Refactor - Download template from S3 should not set template to public-readable.

Sun, 16 Jun 2013 23:49:47 -0700 

Thomas O'Dowd created CLOUDSTACK-3030:
-----------------------------------------

             Summary: Object_Store_Refactor - Download template from S3 should 
not set template to public-readable.
                 Key: CLOUDSTACK-3030
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3030
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: Template
         Environment: latest object_store branch on fedora 17 
devcloud on same machine 
Cloudian (for S3 services) on separate machine. (expect similar result with 
other S3 object stores).
            Reporter: Thomas O'Dowd


This is a security issue in my opinion.

When you upload a template to S3 secondary storage and then try to download it, 
Cloudstack changes the permission on the S3 object to the canned acl 
"public-read" and then displays the url in a popup which the user can click on 
to download the template. 

Using "public-read" is bad because it means that anyone who knows the S3 object 
name can now download the template. Instead of using using the canned-acl  
"public-read", I recommend using "Query String Request Authentication 
Alternative" which is described at the following url: 
http://docs.aws.amazon.com/AmazonS3/2006-03-01/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth

This allows Cloudstack to generate a unique short lived url for the user to 
download the template while keeping the template private in the S3 object store.

Steps:
1. setup S3 object storage (can be amazon) 
2. Add S3 as secondary storage in Cloudstack.
3. Upload a new template (I uploaded "tinyLinux.vhd.gz" by giving a url on my 
local network where I had it hosted)
4. Try to download the template.

When you download the gui, you can check the ACL of the template object and see 
that it can be downloaded by anyone. If you check the XML of the response you 
should find the following grant.

====== Partial XML showing S3 object has public read access =====
<Grant>
  <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
xsi:type="Group">
    <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI>
  </Grantee><Permission>READ</Permission>
</Grant>
====== end of XML showing S3 object has public read access =====

The canned-acl "public-read" is applied to the template in a separate operation 
when you click to download the template using a PUT Object ACL request.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to