Disable logging in secure mode #13488
Conversation
|
The advisory will be published after the patch release is published. |
seanbudd
force-pushed
the
disableLoggingSecureMode
branch
from
f2c2811
to
476b02b
Compare
|
Why should updating be blocked in secure mode? |
This comment was marked as resolved.
This comment was marked as resolved.
|
@codeofdusk when it comes to security questions really we need to ask the opposite question "why should updating NVDA from secure screens be allowed" The use case for that isn't clear to me. It would allow an unauthenticated user to make a significant change to a users machine. Further, applying updates from secure screens is definitely not the common/expected use-case, and is an unnecessary variation to support. |
This comment was marked as resolved.
This comment was marked as resolved.
GitHub Advisory GHSA-354r-wr4v-cx28: Summary: With the --debug-logging NVDA command line option, it was possible to enable debug logging in secure mode. From a secure screen, it was possible to activate debug logging by restarting NVDA and selecting "Restart with debug logging" in the Exit Dialog. This created an instance of NVDA performing debug logging from the system profile, from a secure context. Description of change Prevent debug logging in secure mode. Remove "Restart with debug logging" from the exit dialog options. Remove "Install pending update" from the exit dialog options.
feerrenrut
force-pushed
the
disableLoggingSecureMode
branch
from
476b02b
to
8faadd6
Compare
| #### Logging in secure mode | ||
| `logHandler.initialize` prevents logging in secure mode. | ||
| This is because it is a security concern to log during secure mode (e.g. passwords are logged). | ||
| To change this for testing, patch the source build. |
There was a problem hiding this comment.
This is misleading for any current developer who sees this text, and does not look into the code. When I saw it my first reaction was "why ability to set serviceDebug in registry (which was the recommended way to have logging in secure screens) is removed". After looking into the code it turns out it was not - just this documentation does not take it into account.
There was a problem hiding this comment.
I asked myself a similar question when reading this text: why do not use serviceDebug in registry?
There was a problem hiding this comment.
A PR to beta to amend this might be worthwhile.
I don't think this is misleading enough to patch 2021.3.4.
Using serviceDebug is still a documented option in the userGuide.
The important part of the patch is that you cannot enable debug logging in secure mode without this.
The security advisory, when published, should make the security implications clear.
| To change this for testing, patch the source build. | |
| To change this for testing, use the [serviceDebug](https://www.nvaccess.org/files/nvda/documentation/userGuide.html#SystemWideParameters) system wide parameter. |
| if globalVars.appArgs.secure: | ||
| allowedActions.remove(_ExitAction.RESTART_WITH_DEBUG_LOGGING_ENABLED) | ||
| # Installing updates should not happen in secure mode. | ||
| if globalVars.appArgs.secure or not (updateCheck and updateCheck.isPendingUpdate()): |
There was a problem hiding this comment.
Why this change? Has anyone managed to update NVDA in secure mode? As far as I can tell this was not possible even before this PR, and should not be advertised as a new security improvement since:
- Only pending updates can be applied when in secure mode, and all executable files are excluded when copying system config in
config._setSystemConfig updateCheckis set toNonewhen in secure mode since it raisedRuntimeErrorwhenglobalVars.appArgs.secureis true.
There was a problem hiding this comment.
This has been answered here: #13488 (comment)
It is misleading to show this action in the exit options.
| `logHandler.initialize` prevents logging in secure mode. | ||
| This is because it is a security concern to log during secure mode (e.g. passwords are logged). | ||
| To change this for testing, patch the source build. | ||
| `nvda.log` files are then generated in the System profile's `%TEMP%` directory. |
There was a problem hiding this comment.
Again this is not true. when starting nvda with the --secure switch and running as a normal user the log would be created in your temporary directory as usual. In general we should differentiate between secure mode on a secure screens and secure mode requested by the user from the CLI.
There was a problem hiding this comment.
I don't think we need to be this specific in the technicalDesignOverview.
Logging should be disabled in secure mode, not just secure screens.
It would be fine to amend this in a future release, such as:
| `nvda.log` files are then generated in the System profile's `%TEMP%` directory. | |
| When logging from a secure screen, `nvda.log` files are generated in the System profile's `%TEMP%` directory. |
This paragraph in the technicalDesignOverview.md aims to answer:
- is logging disabled in secure mode? why?
- how can I change this for testing? This can be updated, but the current description works too.
- Where can I find these logs? It is difficult to guess this when logging from a secure screen.
Summary of the issue: When working on #13488, the exitDialog was lengthened, and probably should be moved to its own submodule file. Description of how this pull request fixes the issue: Moves and lints ExitDialog and _ExitAction from gui.__init__ into gui.exit.
Summary of the issue: As raised in comments on #13488, the technical design overview could be clarified to be more clear and add more information. Using the serviceDebug parameter to prevent secure mode on secure screens is a more universal solution than patching source code. Users have been unclear on what secure mode and secure screens are when reading about recent security fixes. Description of how this pull request fixes the issue: Improves the documentation based on the discussion on #13488. Adds definitions of secure mode and secure screens to the user guide.
Thanks to @CyrilleB79 for reporting
Link to issue number:
GitHub Advisory GHSA-354r-wr4v-cx28: GHSA-354r-wr4v-cx28
Summary of the issue:
With the
--debug-loggingNVDA command line option, it is possible to enable debug logging in secure mode.From a secure screen, it is possible to activate debug logging by restarting NVDA and selecting "Restart with debug logging" in the Exit Dialog.
This creates an instance of NVDA performing debug logging from the system profile, from a secure context.
Description of how this pull request fixes the issue:
Prevents debug logging in secure mode.
Removes "Restart with debug logging" from the exit dialog options.
Removes "Install pending update" from the exit dialog options.
Testing strategy:
Run nvda with
-sand--debug-logging.nvda.logis createdsource/nvda.logwhen running from source, in%TEMP%/nvda.logwhen running as installed).Run nvda with
-s.nvda+q.Start NVDA normally and with the -s option. For each run:
Known issues with pull request:
None
Change log entries:
Security fixes
Code Review Checklist: