rgw: prevent data sync from replicating to buckets not owned by the user

clwluvw · clwluvw · commit 7e53cf7013ae · 2025-02-14T12:39:54.000+01:00
Issue https://tracker.ceph.com/issues/68884 revealed that because user_acl is initialized by default in RGWUserPermHandler::Init with the same identity, calling verify_bucket_permission_no_policy() would mistakenly allow the request since the user ACL matches the identity. Removing the default creation of user_acl would align the behavior with other S3 operations to prevent unauthorized data replication. Fixes: https://tracker.ceph.com/issues/69972 Signed-off-by: Seena Fallah <seenafallah@gmail.com>
diff --git a/src/rgw/driver/rados/rgw_data_sync.cc b/src/rgw/driver/rados/rgw_data_sync.cc
@@ -2694,8 +2694,8 @@ class RGWUserPermHandler {
 
       ret = RGWUserPermHandler::policy_from_attrs(
           sync_env->cct, user->get_attrs(), &info->user_acl);
-      if (ret == -ENOENT) {
-        info->user_acl.create_default(uid, user->get_display_name());
+      if (ret < 0 && ret != -ENOENT) {
+        return ret;
       }
 
       return 0;

Original file line number	Diff line number	Diff line change
`@@ -2694,8 +2694,8 @@ class RGWUserPermHandler {`
`2694`	`2694`
`2695`	`2695`	`ret = RGWUserPermHandler::policy_from_attrs(`
`2696`	`2696`	`sync_env->cct, user->get_attrs(), &info->user_acl);`
`2697`		`- if (ret == -ENOENT) {`
`2698`		`- info->user_acl.create_default(uid, user->get_display_name());`
	`2697`	`+ if (ret < 0 && ret != -ENOENT) {`
	`2698`	`+ return ret;`
`2699`	`2699`	`}`
`2700`	`2700`
`2701`	`2701`	`return 0;`