Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ensure we have right perms on saveconfig #172

Merged
merged 3 commits into from Jun 4, 2020

Conversation

pkalever
Copy link
Contributor

Ensure to :

  • set 0o600 perms on backupfiles
  • set right perms on backup dir
  • set right perms on /etc/target/ dir

Prasanna Kumar Kalever added 2 commits June 1, 2020 11:49
Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
finally:
os.umask(umask_original)
else:
if (os.stat(backup_dir).st_mode & 0o777) != mode:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will prevent the root user from changing the dir's permissions (targetcli will overwrite them). Probably no one really cares but maybe we should let the install scripts to take care of that?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

saveconfig.json file will always be created 0600 every time
So no point even if the admin sets 0644 or even wider 777 on /etc/target, users cannot open saveconfig.json

@maurizio-lombardi
Copy link
Collaborator

Tested, looks ok to me

@maurizio-lombardi maurizio-lombardi merged commit 493b62e into open-iscsi:master Jun 4, 2020
@carnil
Copy link

carnil commented Jun 6, 2020

Hi, looking trough the CVE feed from MITRE, this issue seems to have been assigned CVE-2020-13867.

@gonzoleeman
Copy link
Contributor

Note: the fix for this issue caused another issue: now targetcli always changes the directory where config files are saved to 0600, even if it is not /etc/target (e.g. /tmp, /dev, /etc).

See #198

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants