New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove attempts to set file modes #117
Conversation
After some testing and manually trying to set sane file modes, it turns out the umask still applies. So it seems the logical way to handle this is to actually rely on the OS umask to set proper permissions.
I think this is a great idea, but I haven't tested so I can't give my +1 as is. For example, we should make sure it doesn't prevent an already existing configuration folder/files to be read or written, or that would break all instances already deployed. @JocelynDelalande, assigning to you as you clearly know edge cases better than me :-) (also, you're marked as security reviewer :P). |
I kinda of doubt out, as what I removed was literally setting the files at 0777. Technically it shouldn't actually even do anything, as I found out the umask applies on top of that anyway. It just makes it clear that the file is not going to be 0777, as we were a bunch to be "WTF??" on it then realize it litterally doesn't do anything. |
This change was introduced without any explanation, so it's hard to tell why it's here in the first place. 👍 |
It works, and agreeing with @maxpoulin64 on the fact umask should apply. I don't see obvious failure this patch could trigger : lounge is designed to be run by a specific user anyway (using ~/.lounge by default). Even if it may break some password change on some setups, I'd suggest merging this quickly over trying to imagine every deployment issue it can trigger. that 777 permission is really bad. In a nutshell, this is an important security fix. 👍 A note should be introduced in next changelog (adding security section in changelog message ?). I suggest :
|
@JocelynDelalande umask always applies, so it is not actually a security breach. Even if the code said 0777, the actual permissions that got applied were different because 0777 is already the default. So this fix does literally nothing apart from removing the false impression that files are indeed 0777. If we're really wanted to put 0777 we'd have to create the file and then chmod it after the fact. |
@JocelynDelalande, this is definitely something that would have gone in a Thanks all! |
Remove attempts to set file modes
@maxpoulin64 Oh, after reality check, you are right. @maxpoulin64 it's realy weird then, what is this |
EDIT: keeping this comment for the record only, suggestions expressed are no longer relevant, see my later comment @astorije @maxpoulin64 Ok, we released v1.3.1 version w/o the security note, that may have been necessary, as there is doubt about some platforms. Now it's done. Too late, let's just do our best on top of that :-) We are in a state where the code intended to do something bad (the 777), and we don't know for sure that it wasn't honored on all platforms. Security common sense urge us to add a bold note about that. @maxpoulin64 offered to write test scripts to check non-GNU/Linux platform, but may not had time to do it. I myself don't have time and platforms to conduct those tests on non-GNU/Linux platforms. Anyway we have to be fast communicating with users. Quick releaseI'd suggest releasing very soon another release (it may be almost empty, doesn't matter, must include #143 + the PR spoken behind though), and add a proper release note. Umask is not enoughMoreover, we have hashed password inside those files. So relying on umask is not enough, we should force the files to be at least 660. If not 600. For the record, Debian/Ubuntu default umask 0is 022, which creates 0755 files. I'm working (right after posting this) on a PR that I hope can make it quickly to that next security release. Release-note warning (modified) proposalI suggest re-wording as this :
Other measure would include mentioning it in #thelounge topic. |
Avoid exposing hashed passwords to bruteforce from other system users. See thelounge#117 thelounge#143
Not true, server passwords are stored in cleartext when used. This is there to stay, because you need it in order to log into some servers. Lots of servers supports using that field to log in to NickServ, and it is also used to log into ZNC if you use that.
You need 0700, not 0600. You need the execute flag on directories to be able to traverse it, so without it even if the files were all 0666 inside it, you'd still wouldn't be able to access them. |
Finaly… I sorted it without any need to write test programs, but only reading low-level docs :
So… that whole PR is still legit, as a clarification, and because the user JSON files do not require But this PR brings nothing new in terms of security (thus removing tags and the need on a quick release and release note). The still relevant PR bringing actual saner security defaults is #165. What a mess… But an interesting one :-) |
After some testing and manually trying to set sane file modes, it turns out the umask still applies. So it seems the logical way to handle this is to actually rely on the OS umask to set proper permissions.
I have set mine to 0007, which results in the following structure:
This seems to be the best permissions for me, as the files are restricted to The Lounge, but the user can still allow a web server or other utilities to change the files by adding them to the lounge group.