Any tool/command to check whether a Google Cloud Storage bucket is really inaccessible by public

google-app-enginegoogle-cloud-platform

I found several strange requests in my Google App Engine log:

2620:0:1000:3001:1c2f:1188:9a2a:f8d8 – – [26/Oct/2015:16:29:55 -0700] "HEAD /an/object/path HTTP/1.1" 404 – – "curl/7.35.0" "xxx.appspot.com" ms=2 cpu_ms=0 cpm_usd=0 instance=- app_engine_release=1.9.27 trace_id=-

where /an/object/path is the path of an object in the Google Cloud Storage default bucket, which should be unknown to the user.

I have tried listing the bucket content using another account with:

gsutil ls gs://xxx.appspot.com

which gives "AccessDeniedException: 403 Forbidden", and

https://storage.cloud.google.com/xxx.appspot.com/

which shows nothing.

gsutil acl get gs://xxx.appspot.com/…

outputs:

[
  {
    "entity": "project-owners-1096471376163",
    "projectTeam": {
      "projectNumber": "1096471376163",
      "team": "owners"
    },
    "role": "OWNER"
  },
  {
    "entity": "project-editors-1096471376163",
    "projectTeam": {
      "projectNumber": "1096471376163",
      "team": "editors"
    },
    "role": "OWNER"
  },
  {
    "entity": "project-viewers-1096471376163",
    "projectTeam": {
      "projectNumber": "1096471376163",
      "team": "viewers"
    },
    "role": "READER"
  },
  {
    "entity": "user-00b4903a978e00507e97b8a0898de74c6896e15ea3bf3e4c4fcdcbc4eb209c8f",
    "entityId": "00b4903a978e00507e97b8a0898de74c6896e15ea3bf3e4c4fcdcbc4eb209c8f",
    "role": "OWNER"
  }
]

So I suspect that either

  1. my account is hacked, and/or
  2. permission of the bucket/objects is set wrongly, and/or
  3. there are some buggy APIs which may be possible to list/query the bucket content.

Suppose that my account is hacked, the hacker can get the bucket objects directly, he/she does not really need to send requests to the GAE, so the chances of 2 and 3 are also high.

So I want to ask what tool/command can I use to check whether my bucket is really safe against public access.

For case 3, maybe, many other accounts are affected too.

Best Answer

As explained in the docs, you can do it with gsutil.

Something like :

gsutil acl get gs://«path-to-object»

From what I can read from your updated question, looking back to the same documentation I just linked up, you can see that the return means the following :

the project owners ALSO have ownership of the object,

the project editors ALSO have ownership of the object,

the project viewers ALSO have READ access to the object,

and the guy who first uploaded the object has ownership over it.

Related Topic