nefelim4ag / Ananicy

Ananicy - is Another auto nice daemon, with community rules support (Use pull request please)
GNU General Public License v3.0
569 stars 78 forks source link

Permission Dangerous #183

Open liberodark opened 4 years ago

liberodark commented 4 years ago

Hi,

Have install your project great idea more easy than hands. But you use dangerous permission. When you try to see files :

ls -lha ananicy.d/
total 40K
drwxr-xr-x   3 pc pc 4,0K déc.  16 14:20 .
drwxr-xr-x 157 root root  12K déc.  16 16:51 ..
-rw-r--r--   1 pc pc  260 déc.  16 14:20 00-cgroups.cgroups
drwxr-xr-x   3 pc pc  12K déc.  16 16:50 00-default
-rw-r--r--   1 pc pc 1,3K déc.  16 14:20 00-types.types
-rw-r--r--   1 pc pc  381 déc.  16 14:20 ananicy.conf

Permission is user permission in /etc/ that is not possible, that open security issues.

Have switch for more security to root :

ls -lha ananicy.d/
total 40K
drwxr-xr-x   3 root root 4,0K déc.  16 14:20 .
drwxr-xr-x 157 root root  12K déc.  16 16:51 ..
-rw-r--r--   1 root root  260 déc.  16 14:20 00-cgroups.cgroups
drwxr-xr-x   3 root root  12K déc.  16 16:50 00-default
-rw-r--r--   1 root root 1,3K déc.  16 14:20 00-types.types
-rw-r--r--   1 root root  381 déc.  16 14:20 ananicy.conf

Same as :

ls -lha /lib/systemd/system/ananicy.service
-rw-r--r-- 1 pc pc 456 déc.  16 14:20 /lib/systemd/system/ananicy.service

If you want ? have possiblity to help you for that on your project.

Best Regards

liberodark commented 4 years ago

One solution for root force package : https://github.com/Nefelim4ag/Ananicy/pull/187

kfeoktistoff commented 4 years ago

Alternative solution for deb distros: #202

The idea is to use post-install hook. Once deb package is installed, the script inside the deb package with name postinst will be run. This script updates ownership of all ananicy files to root:root. The package can be built from any user.

I'd say this solution is temporary just to close the security issue quickly. The proper long-term solution should be setting up a CI pipeline which will build the packages with the proper permissions automatically on each merge into master branch.

Techcable commented 3 years ago

Hmm, this doesn't seem to be a problem on my Arch Linux box? I installed via the AUR package ananicy-git. With ls -lha /etc/ananicy.d, I get

Permissions Size User Date Modified Name
.rw-r--r-- 260 root 3 Mar 13:42 00-cgroups.cgroups
drwxr-xr-x - root 3 Mar 13:42 00-default
.rw-r--r-- 1.3k root 3 Mar 13:42 00-types.types
.rw-r--r-- 381 root 3 Mar 13:42 ananicy.conf
kfeoktistoff commented 3 years ago

@Techcable, yeah, your permissions are correct.