GL01-016 Weak filesystem permissions enable local attacks (Medium) #303
Comments
|
by Abraham Aranguren |
|
applied security tag |
|
the Abraham Aranguren fix is not needed if we make use of os.umask(077) i'm studying an enforced code like this:
this is the code: ########################## orig_umask = os.umask def umask(mask): os.umask = umask and this is the result: evilaliv3@remotehost /data/devel/globaleaks/GLBackend $ ls workingdir/* -al workingdir/files: workingdir/log: workingdir/torhs: |
ghost
assigned 
The default filesystem permissions, when using the globaleaks recommended guidelines and the installation scripts, enable a number of local attacks. Please note the following is not an exhaustive list. The default permissions allow read, write and execute access to all users in the system in a number of sensitive globaleak directories:
$ ls -l /var/globaleaks/
drwxrwxrwx 2 globaleaks globaleaks 4096 Jun 6 16:32 db
drwxrwxrwx 4 globaleaks globaleaks 4096 May 31 16:07 files
drwxrwxrwx 4 globaleaks globaleaks 4096 Jun 6 18:15 log
drwx------ 2 debian-tor debian-tor 4096 Jun 6 08:00 torhs
Globaleaks log files are created with world readable permissions and may enable other attacks reported separately in this report (i.e. leakage of admin credentials, session tokens, etc).
$ ls -l
-rw-r--r-- 1 globaleaks globaleaks 2397 Jun 6 20:33 globaleaks.log
Globaleaks log rotation enables any system user to overwrite arbitrary globaleaks files by creating a symlink to a critical file:
globaleaks.log.1 globaleaks.log.2 globaleaks.log.3 globaleaks.log.4 globaleaks.log.5
Predictable log file rotation filename
For example, a symbolic link could be created to globaleaks.log.6 before it exists (all users can write to: /var/globaleaks/log) to overwrite /var/globaleaks/db/glbackend.db which would delete all the information in the node database.
Writeable access to the static files directory means that any system user could place HTML or other malicious files in a remotely accessible URL:
$ ls -l /var/globaleaks/files
drwxrwxrwx 2 globaleaks globaleaks 4096 Jun 6 16:10 static
Writeable access to the submissions directory enables symlink attacks to overwrite arbitrary files with the permissions of the globaleaks user, although this is significantly easier to accomplish using the log rotation symlink attack described above:
$ ls -l /var/globaleaks/files/
drwxrwxrwx 2 globaleaks globaleaks 4096 Jun 5 21:02 submission
The issue exists in the create_directories method within the globaleaks/settings.py file, which is invoked by the globaleaks install script. The problem has to do with the default behaviour of os.makedirs in python, os.makedir is called as follows:
os.mkdir(path)
In the python documentation for os.makedir indicates the following:
os.mkdir(path[, mode])
Create a directory named path with numeric mode mode. The default mode is 0777 (octal). On some systems, mode is ignored. Where it is used, the current umask value is first masked out. If the directory already exists, OSError is raised.
Although some system configurations might mitigate this problem through system-supplied umask values, it is recommended to consider running os.mkdir as follows to correct this issue explicitly:
os.mkdir(path, 0700)
The text was updated successfully, but these errors were encountered: