I found several strange requests in my Google App Engine log:
2620:0:1000:3001:1c2f:1188:9a2a:f8d8 – – [26/Oct/2015:16:29:55 -0700] "HEAD /an/object/path HTTP/1.1" 404 – – "curl/7.35.0" "xxx.appspot.com" ms=2 cpu_ms=0 cpm_usd=0 instance=- app_engine_release=1.9.27 trace_id=-
where /an/object/path is the path of an object in the Google Cloud Storage default bucket, which should be unknown to the user.
I have tried listing the bucket content using another account with:
gsutil ls gs://xxx.appspot.com
which gives "AccessDeniedException: 403 Forbidden", and
which shows nothing.
gsutil acl get gs://xxx.appspot.com/…
outputs:
[
{
"entity": "project-owners-1096471376163",
"projectTeam": {
"projectNumber": "1096471376163",
"team": "owners"
},
"role": "OWNER"
},
{
"entity": "project-editors-1096471376163",
"projectTeam": {
"projectNumber": "1096471376163",
"team": "editors"
},
"role": "OWNER"
},
{
"entity": "project-viewers-1096471376163",
"projectTeam": {
"projectNumber": "1096471376163",
"team": "viewers"
},
"role": "READER"
},
{
"entity": "user-00b4903a978e00507e97b8a0898de74c6896e15ea3bf3e4c4fcdcbc4eb209c8f",
"entityId": "00b4903a978e00507e97b8a0898de74c6896e15ea3bf3e4c4fcdcbc4eb209c8f",
"role": "OWNER"
}
]
So I suspect that either
- my account is hacked, and/or
- permission of the bucket/objects is set wrongly, and/or
- there are some buggy APIs which may be possible to list/query the bucket content.
Suppose that my account is hacked, the hacker can get the bucket objects directly, he/she does not really need to send requests to the GAE, so the chances of 2 and 3 are also high.
So I want to ask what tool/command can I use to check whether my bucket is really safe against public access.
For case 3, maybe, many other accounts are affected too.
Best Answer
As explained in the docs, you can do it with gsutil.
Something like :
From what I can read from your updated question, looking back to the same documentation I just linked up, you can see that the return means the following :
the project owners ALSO have ownership of the object,
the project editors ALSO have ownership of the object,
the project viewers ALSO have READ access to the object,
and the guy who first uploaded the object has ownership over it.