Description of problem: An object can still be deleted even if a bucket or user policy with DENY s3:DeleteObject exists. Version-Release number of selected component (if applicable): 3.2 How reproducible: 100% Steps to Reproduce (from upstream case): """ For example, the testing bucket name is '111', the bucket owner is em_test1 [root@localhost ~]# s3cmd info s3://111 s3://111/ (bucket): Location: default Payer: BucketOwner Expiration Rule: none Policy: {"Version": "2012-10-17", "Statement": [{"Action": ["s3:PutObject", "s3:DeleteObject"], "Principal": {"AWS": ["arn:aws:iam:::user/em_test1"]}, "Resource": ["arn:aws:s3:::111/InterLeave"], "Effect": "Deny", "Sid": "worm1"}, {"Action": ["s3:GetObject"], "Principal": {"AWS": ["arn:aws:iam:::user/em_test2"]}, "Resource": ["arn:aws:s3:::111/InterLeave"], "Effect": "Allow", "Sid": "worm2"}]} CORS: none ACL: em_test1: FULL_CONTROL We can see that there is a related bucket policy configuration set to bucket 111 which defines that the bucket owner em_test1 can not overwrite (by PutObject) and delete (by DeleteObject) the InterLeave object in the bucket 111. root@localhost ~]# s3cmd put InterLeave s3://111 upload: 'InterLeave' -> 's3://111/InterLeave' [1 of 1] 37072 of 37072 100% in 0s 3.75 MB/s done ERROR: S3 error: 403 (AccessDenied) [root@localhost ~]# s3cmd del s3://111/InterLeave delete: 's3://111/InterLeave' Then we really can not overwrite the InterLeave object in bucket 111, but we can still delete it. """
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0475