RGW奇淫技巧-玩转system特权
RGW奇淫技巧-玩转system特权
用户1260683
发布于 2018-01-31 11:57:43
发布于 2018-01-31 11:57:43
开启system特权
root@demohost:/home/user# radosgw-admin user modify --system=1 --uid=s3user
{
"user_id": "s3user",
"display_name": "s3user",
"email": "",
"suspended": 0,
"max_buckets": 1000,
"auid": 0,
"subusers": [],
"keys": [
{
"user": "s3user",
"access_key": "",
"secret_key": ""
}
],
"swift_keys": [],
"caps": [],
"op_mask": "read, write, delete",
"system": "true", #开启了system特权
"default_placement": "",
"placement_tags": [],
"bucket_quota": {
"enabled": false,
"max_size_kb": -1,
"max_objects": -1
},
"user_quota": {
"enabled": false,
"max_size_kb": -1,
"max_objects": -1
},
"temp_url_keys": []
}关闭system特权
root@demohost:/home/user# radosgw-admin user modify --system=0 --uid=s3user
{
"user_id": "s3user",
"display_name": "s3user",
"email": "",
"suspended": 0,
"max_buckets": 1000,
"auid": 0,
"subusers": [],
"keys": [
{
"user": "s3user",
"access_key": "",
"secret_key": ""
}
],
"swift_keys": [],
"caps": [],
"op_mask": "read, write, delete",
"default_placement": "",
"placement_tags": [],
"bucket_quota": {
"enabled": false,
"max_size_kb": -1,
"max_objects": -1
},
"user_quota": {
"enabled": false,
"max_size_kb": -1,
"max_objects": -1
},
"temp_url_keys": []
}开system特权以后,create_bucket请求的body会返回对应bucket的各种隐藏属性
python的测试代码如下
# -*- coding: utf-8 -*-
from boto.s3.connection import S3Connection
import boto
import os
bucket_name = 'user-bucket1'
access_key = ''
secret_key = ''
endpoint = 's3.ceph.work'
conn = boto.connect_s3(
aws_access_key_id=access_key,
aws_secret_access_key=secret_key,
host=endpoint,
is_secure=False,
calling_format=boto.s3.connection.OrdinaryCallingFormat(),
validate_certs=True,
)
bucket = conn.create_bucket(bucket_name)开启之前,response的body内容为空
开启以后,bucket隐藏的的metadata全部都暴露出来了
最后说一句,这个system权限很大,不要随便开,容易造成权限扩大和隐藏信息泄露。
本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2017-04-25,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读