Default ACL for file operations on S3 must be "private"

Description

It looks like Lucee is setting file permissions on S3 to "public-read" by default, and in addition to this acl="private" attribute is simply ignored.

I have set this.s3 attributes (accessKeyId and awsSecretKey) in Application.cfc

s3ep = "s3-ap-southeast-2.amazonaws.com"; // we are in Sydney region
bucketName = "privateBucket";
fileName = "privateObject.txt";
s3_fileName = "s3://" & bucketName & "/" & fileName;
s3_fileLink = "https://" & s3ep & "/" & bucketName & "/" & fileName;
fileWrite(s3_fileName, "test");
// alternatively you can use following code with same results
// file action="write" file=s3_fileName output="test" acl="private";
// please note, that ACL=private attribute is simply ignored
// Following line will fix permissions
// storeSetACL(s3_fileName, "private");
h = new http(method="get", url=s3_fileLink).send().getPrefix();
writeOutput(h.fileContent);

Obviously I should get "Access Denied" xml output with last line, but getting file content instead.

Call to storeSetACL function right after file operation will fix the issue, but default permission on S3 object must be "private"!

Environment

Windows 10
Lucee 5.2.2.60-SNAPSHOT

Linked issues

relates to

LDEV-1489

add support for default ACL to S3

LDEV-4474

s3 tests with ACLs on objects failing due to amazon policy change

Activity

Show:

Michael Offner 8 September 2017 at 09:08

also see
https://luceeserver.atlassian.net/browse/LDEV-1489

Brad Wood 5 September 2017 at 17:10

I would say match the default behavior of Adobe CF which seems to be full control, not private. This ticket seems to be addressing two things though:

The default ACL
Whether or not the acl="private" bit works

It sounds like number 2 should be fixed as Pothys has reproduced it, but I would be careful changing the default to differ from Adobe CF.

Michael Offner 4 September 2017 at 19:19

i'm not really sure if we should change the default behaviour, please see this for more details
https://dev.lucee.org/t/s3-acl-default/2721

Pothys - MitrahSoft 29 June 2017 at 14:35

I've added test case for this ticket & confirmed that issue happened on latest version of lucee 5.2.2.60. In cffile tag, attribute storeAcl = 'private' doesn't works. It doesn't change the permission, shows default permission public-read. If we pass value as aclObject in storeACl attribute, it change permission as given permission aclobject.

Pull Request: https://github.com/lucee/Lucee/pull/258

Fixed

Details
Assignee
Michael Offner
Reporter
Dmitry Yakhnov
Priority
Critical
Labels
s3
Fix versions
5.2.5.4
S3 0.9.4.114
New Issue warning screen
Before you create a new Issue, please post to the mailing list first https://dev.lucee.org
Once the issue has been verified, one of the Lucee team will ask you to file an issue
Sprint
None
Affects versions
5.2.2.60

Created 26 June 2017 at 04:56

Updated 13 May 2023 at 15:52

Resolved 22 September 2017 at 13:58