fix privilege escalation against inter-node communication (#7474)

This commit fixes another privilege escalation issue abusing the inter-node communication of distributed servers to obtain/modify the server configuration. The inter-node communication is authenticated using JWT-Tokens. Further, IAM users accessing the cluster via the web UI also get a JWT token and the browser will add this "user" JWT token to each the request. Now, a user can extract that JWT token an can craft HTTP POST requests for the inter-node communication API endpoint. Since the server accepts ANY valid JWT token it also accepts inter-node commands from an authenticated user such that the user can execute arbitrary commands bypassing the IAM policy engine and impersonate other users, change its own IAM policy or extract the admin access/secret key. This is fixed by only accepting "admin" JWT tokens (tokens containing the admin access key - and therefore were generated with the admin secret key). Consequently, only the admin user can execute such inter-node commands.
6 years ago · 9a740736a4
parent 313a3a286a
commit 9a740736a4
1 changed files with 6 additions and 1 deletions
--- a/cmd/storage-rest-server.go
+++ b/cmd/storage-rest-server.go
@ -49,9 +49,14 @@ func (s *storageRESTServer) writeErrorResponse(w http.ResponseWriter, err error)

 // Authenticates storage client's requests and validates for skewed time.
 func storageServerRequestValidate(r *http.Request) error {
-	if _, _, err := webRequestAuthenticate(r); err != nil {
+	_, owner, err := webRequestAuthenticate(r)
+	if err != nil {
 		return err
 	}
+	if !owner { // Disable access for non-admin users.
+		return errAuthentication
+	}
+
 	requestTimeStr := r.Header.Get("X-Minio-Time")
 	requestTime, err := time.Parse(time.RFC3339, requestTimeStr)
 	if err != nil {