Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address race condition in renew-script.sh #194

Merged
merged 2 commits into from Feb 27, 2024
Merged

Address race condition in renew-script.sh #194

merged 2 commits into from Feb 27, 2024

Conversation

throwaway96
Copy link
Member

Description

There is currently a race condition in renew-script.sh that could lead to exposure of the SSH private key. This change should resolve the issue by using mktemp to create a temporary directory with an unpredictable name and mode 0700.

The temporary directory (and therefore private key) will also be removed when no longer needed.

If mktemp does not exist or otherwise fails, a fallback directory will be created with a name based on the PID of the script. The mode will still be set to 0700 before the private key file is created. Since the name is predictable, there is a potential issue with symlink-based attacks. Perhaps the fallback should be removed or improved...

Note that the symlink issue is also present with $SESSION_TOKEN_CACHE. I'm not sure how to resolve that, since the name needs to be predictable. Checking that it's a regular file would not solve the problem but would at least make such an attack more difficult. However, I could also imagine someone wanting it to be a symlink (e.g., if /tmp is volatile and they want to maintain the cache across reboots). Anyway, this should probably be documented (with a warning to never run the script as root).

Fixes #193

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)

Checklist:

  • I have performed a self-review of my own code
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have run tests (npm run test & npm run e2e) that prove my fix is effective or that my feature works

It would be nice to have someone who uses this script test these changes.

@throwaway96
renew-script.sh: create temp dir for private key
ddbc8f2 
Avoid race condition caused by setting permissions after creating the
private key file. Make the temporary path unpredictable using mktemp,
falling back to a PID-based path when that fails. Remove private key
when finished with it.
@throwaway96
renew-script.sh: add warning; use umask
0749e17
@throwaway96
Copy link
Member Author

The script will now exit if the fallback directory can't be created (e.g., if it already exists), which should at least resolve one symlink issue.

I also replaced the chmod calls with just setting umask 077 at the beginning of the script. I think the only user-visible effect is $SESSION_TOKEN_CACHE no longer being world-readable. If that's a problem, I can save and restore the original umask.

I don't know if the warning at the top of the script is sufficient, but I'm not sure where else it should be mentioned.

I can squash these commits if desired.

@mariotaku mariotaku merged commit 44f2ffa into webosbrew:main Feb 27, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mariotaku mariotaku Awaiting requested review from mariotaku

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

The developer mode renewal script exposes the private ssh key to unintended users for a short time
2 participants
@throwaway96 @mariotaku