The file is created before the modes are set to restrict access. If the umask of the process is set too wide, there is a very small window where a user who has installed an inotify watch on /etc/rtslib-fb-targets may be able to open /etc/rtslib-fb-targets/saveconfig.json.temp before the modes on the file are reduced. Once opened, any secrets stored in the file can be read.
Is there a better way to report security issues? I didn't see any guidance in the README.
Hello, I'm reviewing rtslib-fb as part of Ubuntu's main inclusion process.
I believe that the
save_to_file()method may have a race condition:https://github.com/open-iscsi/rtslib-fb/blob/7f791a6d8c06d06897f923b0c6ddaca91080d31a/rtslib/root.py#L464
The file is created before the modes are set to restrict access. If the
umaskof the process is set too wide, there is a very small window where a user who has installed an inotify watch on/etc/rtslib-fb-targetsmay be able to open/etc/rtslib-fb-targets/saveconfig.json.tempbefore the modes on the file are reduced. Once opened, any secrets stored in the file can be read.Is there a better way to report security issues? I didn't see any guidance in the README.
Thanks