search

kitodo / kitodo-production

Kitodo.Production is a workflow management tool for mass digitization and is part of the Kitodo Digital Library Suite.
http://www.kitodo.org/software/kitodoproduction/
GNU General Public License v3.0
64 stars 63 forks source link

Unsecure file permissions after running build #6137

Open stweil opened 4 months ago

stweil commented 4 months ago

Describe the bug After running mvn clean build several script files are writable for any user who has access to the build host:

-rw-rw-rw-  1 stweil  wheel  355 21 Jul 08:13 Kitodo-Command/src/test/resources/not_working_script.sh
-rw-rw-rw-  1 stweil  wheel  359 21 Jul 08:13 Kitodo-Command/src/test/resources/working_script.sh
-rw-rw-rw-  1 stweil  wheel  350 21 Jul 08:13 Kitodo-Command/src/test/resources/working_script_with_parameters.sh
-rw-rw-rw-  1 stweil  wheel  459 21 Jul 08:13 Kitodo-FileManagement/src/test/resources/scripts/script_createDirMeta.sh
-rw-rw-rw-  1 stweil  wheel  370 21 Jul 08:13 Kitodo/src/test/resources/scripts/long_working_script_1s.sh
-rw-rw-rw-  1 stweil  wheel  371 21 Jul 08:13 Kitodo/src/test/resources/scripts/long_working_script_2s.sh
-rw-rw-rw-  1 stweil  wheel  511 21 Jul 08:13 Kitodo/src/test/resources/scripts/script_createSymLink.sh
-rw-rw-rw-  1 stweil  wheel  476 21 Jul 08:13 Kitodo/src/test/resources/scripts/script_deleteSymLink.sh
-rw-rw-rw-  1 stweil  wheel  360 21 Jul 08:13 Kitodo/src/test/resources/scripts/working_script.sh
-rw-rw-rw-  1 stweil  wheel  350 21 Jul 08:13 Kitodo/src/test/resources/scripts/working_script_with_parameters.sh

A malicious user can replace the script code with any code which would be run with the next build process.

Of course this is not a problem on build hosts with a single user or only trusted users as long as these build hosts cannot be accessed from outside (otherwise for example security issues in web applications could be used to modify the script files). But if this is a precondition for secure builds, it must be mentioned prominently.

To Reproduce Steps to reproduce the behavior:

  1. Clone kitodo-production and enter its root directory.
  2. Prepare the build und run mvn clean build (optionally with additional parameters).
  3. The scripts listed above are now world-writable.

Expected behavior The build process must not create files which are world-writable.

Release The bug exists for a long time now – also in the latest code.