Check docs for fixed security vulnerability

[djwfyi]

minio/minio#18928 fixes a security vulnerability that would allow for service accounts to use permission escalation.

Check docs for any changes that might need to be made:

• Warning about admin:* on https://min.io/docs/minio/linux/administration/identity-access-management/policy-based-access-control.html#policy-action.admin, that such may allow a user to edit their own permissions.
• check for the UpdateServiceAccountAdminAction vs admin.UpdateServiceAccount we doc. Are these the same? where does the first come into play? Is it a special flag that got added? If so, when?

[djwfyi]

Security advisory notice: GHSA-xx8w-mq23-29g4

[djwfyi]

Fix is in Server release RELEASE.2024-01-31T20-20-33Z

[ravindk89]

@donatello can you provide some color on the above?

Looking at https://github.com/minio/minio/pull/18928/files#diff-ef268fe29d8a37a689fc4720dcb9feb441bb3076def2ed405c717ab586d6baa2R790-R791 I can see we're looking for a specific policy.

We do have https://min.io/docs/minio/linux/administration/identity-access-management/policy-based-access-control.html#policy-action.admin-UpdateServiceAccount but that would be covered in admin:* permissions. So just checking for that wouldn't necessarily close this bug off, right?

Or did we add a new policy action UpdateServiceAccountAdminAction that exists outside of the s3:* and admin:* buckets? Which would imply this flag would now be required for root + all other users before you could modify service accounts?

Some detail would help here for us to document.

[ravindk89]

ping @donatello on the above