[ https://issues.apache.org/jira/browse/CLOUDSTACK-3030?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Thomas O'Dowd updated CLOUDSTACK-3030: -------------------------------------- Fix Version/s: 4.2.0 > Object_Store_Refactor - Download template from S3 should not set template to > public-readable. > --------------------------------------------------------------------------------------------- > > Key: CLOUDSTACK-3030 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3030 > Project: CloudStack > Issue Type: Bug > Security Level: Public(Anyone can view this level - this is the > default.) > Components: Template > Environment: latest object_store branch on fedora 17 > devcloud on same machine > Cloudian (for S3 services) on separate machine. (expect similar result with > other S3 object stores). > Reporter: Thomas O'Dowd > Assignee: Min Chen > Fix For: 4.2.0 > > > This is a security issue in my opinion. > When you upload a template to S3 secondary storage and then try to download > it, Cloudstack changes the permission on the S3 object to the canned acl > "public-read" and then displays the url in a popup which the user can click > on to download the template. > Using "public-read" is bad because it means that anyone who knows the S3 > object name can now download the template. Instead of using using the > canned-acl "public-read", I recommend using "Query String Request > Authentication Alternative" which is described at the following url: > http://docs.aws.amazon.com/AmazonS3/2006-03-01/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth > This allows Cloudstack to generate a unique short lived url for the user to > download the template while keeping the template private in the S3 object > store. > Steps: > 1. setup S3 object storage (can be amazon) > 2. Add S3 as secondary storage in Cloudstack. > 3. Upload a new template (I uploaded "tinyLinux.vhd.gz" by giving a url on my > local network where I had it hosted) > 4. Try to download the template. > When you download the gui, you can check the ACL of the template object and > see that it can be downloaded by anyone. If you check the XML of the response > you should find the following grant. > ====== Partial XML showing S3 object has public read access ===== > <Grant> > <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xsi:type="Group"> > <URI>http://acs.amazonaws.com/groups/global/AllUsers</URI> > </Grantee><Permission>READ</Permission> > </Grant> > ====== end of XML showing S3 object has public read access ===== > The canned-acl "public-read" is applied to the template in a separate > operation when you click to download the template using a PUT Object ACL > request. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira