Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Privileges::determine_allowed should consider resources #15

Closed
danielpops opened this issue Mar 9, 2018 · 2 comments
Closed

Privileges::determine_allowed should consider resources #15

danielpops opened this issue Mar 9, 2018 · 2 comments

Comments

@danielpops
Copy link
Contributor

danielpops commented Mar 9, 2018
edited
Loading

I think there's a bug here:

    def determine_allowed(self):
        [...]
        # Look at denied
        for stmt in self.stmts:
            if stmt['Effect'] == 'Deny':
                stmt_actions = self.get_actions_from_statement(stmt)
                for action in stmt_actions:
                    if action in actions:
                        del actions[action]

Consider the following policy statements, which gives:

  • Full access (except for CreateBucket) to most buckets
  • No access to one particular bucket
"Statement": [
                {
                    "Action": "s3:*",
                    "Effect": "Allow",
                    "Resource": "*"
                },
                {
                    "Action": "s3:CreateBucket",
                    "Effect": "Deny",
                    "Resource": "*"
                },
                {
                    "Action": "s3:*",
                    "Effect": "Deny",
                    "Resource": [
                        "arn:aws:s3:::super-sensitive-bucket",
                        "arn:aws:s3:::super-sensitive-bucket/*"
                    ]
                }

Expected:
The list of allowed actions should contain everything except s3:CreateBucket.
Actual:
The list of allowed actions is empty.

A naive solution could be to only delete the action key if the resource is * (or maybe something like it... like s3://*).
@0xdabbad00
Copy link
Collaborator

Looks like this is a motivator for me to implement #2 to use policyuniverse, which should solve this and similar issues for me.

danielpops added a commit to danielpops/cloudtracker that referenced this issue Mar 9, 2018
@danielpops
Consider resources when determining the scope of allowed_actions (nai…
25b909b 
…ve implementation). Partially fixes duo-labs#15
danielpops added a commit to danielpops/cloudtracker that referenced this issue Mar 9, 2018
@danielpops
Consider resources when determining the scope of allowed_actions (nai…
d14627d 
…ve implementation). Partially fixes duo-labs#15
@danielpops danielpops mentioned this issue Mar 9, 2018
Closed
@0xdabbad00
Copy link
Collaborator

Resolved in 20d5473

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Consider resources (naive approach) danielpops/cloudtracker
2 participants
@0xdabbad00 @danielpops