We have not seen the occurrence of this in the wild, however, this is a possibility.
A user with consoleAdmin
permissions can potentially create a user that matches
the root credential accessKey
, once this user is created successfully the root
credential ceases to work appropriately.
commit 54df59966973354304d89e3000806f9837297c1c
Author: Harshavardhana <harsha@minio.io>
Date: Mon Mar 13 10:25:07 2023 -0700
Do not allow adding root user to IAM subsystem
A user with sufficient admin level privileges can
add the root user into the IAM subsystem, which would
lead to permanently disabled access for root
credentials.
The problem exists since RELEASE.2020-12-23T02-24-12Z
release onwards, a similar also introduced in the IAM
import API since RELEASE.2022-06-25T15-50-16Z
This PR fixes both scenarios.
Impact
We have not seen the occurrence of this in the wild, however, this is a possibility.
A user with
consoleAdmin
permissions can potentially create a user that matchesthe root credential
accessKey
, once this user is created successfully the rootcredential ceases to work appropriately.
Patches
Workarounds
There are ways to workaround this via adding higher privileges
to the disabled root user via
mc admin policy set
References
#16803 should have more details on the fixes.