Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/build/release: Go installer appends insecure path 'C:\Go\bin' to Windows system PATH #42070

Open
menocu opened this issue Oct 19, 2020 · 8 comments

Comments

@menocu
Copy link

@menocu menocu commented Oct 19, 2020

What version of Go are you using (go version)?

Tested against go1.15.2.windows-amd64.msi and go1.14.4.windows-amd64.msi.

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

Windows 10, amd64

What did you do?

Installed Go on Windows 10 using an installer from https://golang.org/dl/

What did you expect to see?

The installer appends 'C:\Go\bin' to the system path; This path should not be writable by low privileged users.

What did you see instead?

The permissions on 'C:\Go\bin' are overly permissive, and allow writes from the 'Authenticated Users' group. This means that any authenticated low privilege user on this system can plant a .dll or executable at this location which might later be loaded by an application or user running in a more privileged context, resulting in privilege escalation.

@dmitshur dmitshur changed the title Go installer appends insecure path 'C:\Go\bin' to Windows system PATH x/build/release: Go installer appends insecure path 'C:\Go\bin' to Windows system PATH Oct 19, 2020
@gopherbot gopherbot added the Builders label Oct 19, 2020
@gopherbot gopherbot added this to the Unreleased milestone Oct 19, 2020
@dmitshur
Copy link
Member

@dmitshur dmitshur commented Oct 19, 2020

@FiloSottile
Copy link
Member

@FiloSottile FiloSottile commented Oct 21, 2020

It would be good to fix this before the next release, checking that it leads to secure permissions both on a fresh install and on an upgrade.

@toothrot
Copy link
Contributor

@toothrot toothrot commented Nov 5, 2020

@menocu What does removing that permission mean for a multi-user environment? Will that break Go for other users on Windows? Do we know what other languages do on Windows?

@rsc
Copy link
Contributor

@rsc rsc commented Nov 5, 2020

It shouldn't break any other users to remove writability. People install Go in a non-world-writable /usr/local/go or similar directories on Unix all the time.

@menocu
Copy link
Author

@menocu menocu commented Nov 5, 2020

I agree that removing write permissions for 'Authenticated Users' from C:\Go\bin shouldn't break anything. For what its worth, I looked at a few other languages to see what they do, and it looks like python 2.7 and Ruby both add folders writable by this group to the system path. Python 3 and Haskell do not, by virtue of installing into subdirectories of C:\Program Files\ when installed for all users, from which they inherit secure permissions.

@toothrot
Copy link
Contributor

@toothrot toothrot commented Nov 5, 2020

@rsc Yep! I am familiar with Unix, just not the common practices for Windows.

@menocu Awesome, thank you. I will make the appropriate change to our MSI configuration, and test it on my Windows PC.

@DemiMarie
Copy link

@DemiMarie DemiMarie commented Nov 10, 2020

@menocu I consider this to be a bug in Windows, which allowed C:\ to be writable by authenticated users (!).

@zx2c4
Copy link
Contributor

@zx2c4 zx2c4 commented Nov 19, 2020

I suppose you could play with the PermissionEx tag in the Wix on the CreateDirectory call with a fairly restrictive SDDL that's inherited by its containers.

https://wixtoolset.org/documentation/manual/v3/xsd/wix/permissionex.html

Alternatively, install Go to Program Files like normal programs? If you're already adding it to PATH, that shouldn't be less convenient. Unless you're concerned about filenames with spaces or something?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
8 participants
You can’t perform that action at this time.