-
Notifications
You must be signed in to change notification settings - Fork 23.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
redis-cli: permissions when opening history file #3284
Comments
|
@antirez any news? |
|
See also: |
|
This has been given CVE-2013-7458 |
|
Note that simply using chmod(2) (like one of the above linked dupes suggestions) on the file leaves a race condition, one needs a patch like https://gist.github.com/lamby/5252347e8f2545d985a027cf142f0f5f |
|
Thanks @lamby, I just applied your patch to unstable and 3.2. |
|
Hello folks, just one small note regarding forced chmod change, you won't allow the user to change the permissions of the file afterwards if he really wants to as the file permissions will be always reverted. |
|
(indeed) |
redis-cli saves it's history here:
https://github.com/antirez/redis/blob/8c4f4d12d856e57534277c1737d7cb07890bbe63/src/redis-cli.c#L1290
and uses the linenoise library to fopen the file there:
https://github.com/antirez/redis/blob/e0eb5f6bbf2407c802a231594acb90aa7a6a8e9a/deps/linenoise/linenoise.c#L1163
If the file does not exist, it's created with default umask 0022, so the file ends up with 0644. redis-cli writes it's history to
~by default, which usually expands to a folder in /home, which is world accessible by default in a lot of distributions. This causes the file to be world readable.You could either call umask to change the default permissions or pass appropriate permissions when creating, like bash does:
http://git.savannah.gnu.org/cgit/bash.git/tree/bashhist.c?id=ae339e9c3c855a2bbd8f8667d4cf2999e3f06bfa#n385
The text was updated successfully, but these errors were encountered: