Closed URZ-HD closed 3 years ago
Yes, that is an oversight.
Problem is that dropping privileges is actually a good idea here, as user input is parsed here, and any kind of e.g. buffer overflow would be pretty bad. So the argument parser and the yaml parser could be attacked here if the privileges would not be dropped before. It is a question of trust in those external libraries.
May be it would make sense to read the file unconditionally before dropping privileges into a buffer and parse the buffer later,
should be fixed.
Hi, you are right, parsing the userinput should be down with dropped privileges. Another way to achieve this, might be dropping the permissions for the commandline call to the current user (=owner of the home), instead of the dbuid-user ? Afterwards the privileges can be dropped to dbuid-user.
best, Sven
i moved the reading before the checking in latest version, that should solve the problem. Also added a check if the file is a symlink, as the reading is now with privileges and could be used to get a few bytes from some files.
perfect, thanks.
Hi, we are using workspaces with setuid options.
ws_allocate
has is installed correctly with 4755 permission bits. If the user home is limited to 0700 permission (which should be the default for Home directories), the workspace tools are not able to access the path "~/.ws_user.conf":I've added the following debug code to
ws_allocate.cpp
(Line 159):This shows the error:
After changing the HOME permissions to 0755, it works like expected:
I think the problem would be the "drop_cap" function call before the commandline parsing. Is this intended behaviour or can the "drop_cap" call simply moved after the commandline function ?
thanks, Sven