Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change AWS_DEFAULT_ACL to 'private' #381

Closed
jonashaag opened this issue Aug 14, 2017 · 4 comments
Closed

Change AWS_DEFAULT_ACL to 'private' #381

jonashaag opened this issue Aug 14, 2017 · 4 comments
Labels
s3boto

Comments

@jonashaag
Copy link

  1. For obvious security reasons
  2. Because it doesn't work out of the box with the default S3 tutorial (which doesn't grant publish permissions), with no good error message ("Access Denied", where a good message would be "Access to make file public-read denied")
@jschneier
Copy link
Owner

I agree, will have to go in a 2.0 release. I've been lax about breaking changes because they are usually smaller and not in widely used backends. This would not be that in any way.

@jschneier jschneier modified the milestone: 1.2 Aug 14, 2017
@robatwave
Copy link

robatwave commented Sep 25, 2017
edited
Loading

By default it shouldn't set ACL at all (boto's default behaviour), and defer to the bucket's ACL? Or as a non-breaking change, there should be an option to not explicitly set an ACL on the object. That way you could give an application's IAM role PutObject without having to also give it PutObjectAcl.

@robatwave
Copy link

Just to follow up: looks like we can work around this by explicitly setting AWS_DEFAULT_ACL to None in settings.

@sww314 sww314 added s3boto and removed s3boto labels Jul 12, 2018
@jcushman jcushman mentioned this issue Jul 18, 2018
Merged
@jschneier
Copy link
Owner

We will now warn about the insecure defaults with a recommendation to update.

Merged
3 tasks
This was referenced Nov 16, 2021
Open
Open
Open
@fao89 fao89 mentioned this issue Jan 14, 2022
Open
@pulpbot pulpbot mentioned this issue Jan 17, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
s3boto
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jonashaag @sww314 @jschneier @robatwave