Object PUTs into private buckets lead to EACL bloat #464

New issue

Closed

opened 2025-12-28 17:37:29 +00:00 by sami · 1 comment

sami commented

2025-12-28 17:37:29 +00:00

Owner

Originally created by @roman-khimov on GitHub (Oct 25, 2024).

Originally assigned to: @smallhive on GitHub.

Current Behavior

PutObject with full owner control ACL leading to EACL bloat and eventual 500 with container setEacl: status: code = 1024 message = Invalid params (-32602) - byte-slice is too big (67987) error.

Expected Behavior

Buckets are private by default. Puts with full object control for objects do nothing EACL-wise as explained in https://pkg.go.dev/github.com/aws/aws-sdk-go/service/s3/s3manager#UploadInput and its references. Other ACLs are rejected unless ACLs are enabled (see https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html also).

Possible Solution

Fix the damn things.

Steps to Reproduce

aws s3api put-object --bucket amzn-s3-demo-bucket --key key-name --body path-to-file --acl bucket-owner-full-control

Context

Real software loves specifying ACLs for whatever reason.

Your Environment

Version of the product used: 0.32.0
Server setup and configuration files used:
Operating System and version (uname -a): Debian stable

Originally created by @roman-khimov on GitHub (Oct 25, 2024). Originally assigned to: @smallhive on GitHub. ## Current Behavior PutObject with full owner control ACL leading to EACL bloat and eventual 500 with `container setEacl: status: code = 1024 message = Invalid params (-32602) - byte-slice is too big (67987)` error. ## Expected Behavior Buckets are private by default. Puts with full object control for objects do nothing EACL-wise as explained in https://pkg.go.dev/github.com/aws/aws-sdk-go/service/s3/s3manager#UploadInput and its references. Other ACLs are rejected unless ACLs are enabled (see https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html also). ## Possible Solution Fix the damn things. ## Steps to Reproduce `aws s3api put-object --bucket amzn-s3-demo-bucket --key key-name --body path-to-file --acl bucket-owner-full-control` ## Context Real software loves specifying ACLs for whatever reason. ## Your Environment * Version of the product used: 0.32.0 * Server setup and configuration files used: * Operating System and version (`uname -a`): Debian stable

sami

2025-12-28 17:37:29 +00:00

closed this issue
added the
bug

S4

I4

U1
labels

sami commented

2025-12-28 17:37:30 +00:00

Author

Owner

@smallhive commented on GitHub (Oct 28, 2024):

Some AWS docs https://docs.aws.amazon.com/AmazonS3/latest/userguide/ensure-object-ownership.html about bucket policy.

Another interesting treasure https://gitlab.com/gitlab-org/container-registry/-/issues/909

@smallhive commented on GitHub (Oct 28, 2024): Some AWS docs https://docs.aws.amazon.com/AmazonS3/latest/userguide/ensure-object-ownership.html about bucket policy. Another interesting treasure https://gitlab.com/gitlab-org/container-registry/-/issues/909