uid_map created as world writable - a security risk

openhpi2 / Open-HPI-base

Open HPI is an open source implementation of the SA Forum's Hardware Platform Interface (HPI). HPI provides an abstracted interface to managing computer hardware, typically for chassis and rack based servers

0 stars 1 forks source link

uid_map created as world writable - a security risk #2509

Closed openhpi2 closed 8 years ago

openhpi2 commented 11 years ago

uid_map file is created as world writable which may be a security risk. Some input provided by Anton are

It is a reasonable concern. Guess we should create bug ticket for this.

There are two workarounds:

1) it is possible to run openhpi daemon without using uid_map. 2) it is possible to set uid_map file location other than /tmp or /var.

    Anton Pak

The file should be less than or equal to 644.

Reported by: dr_mohan

openhpi2 commented 11 years ago

*_ATTENTION_** This account is disabled and is no longer accessed by the recipient. Please remove it from your address book.

Thanks

Original comment by: tariqx

openhpi2 commented 11 years ago

Original comment by: dr_mohan

openhpi2 commented 11 years ago

The patch is uploaded. It creates the uid_map file with 644 permission (umask set to 022). It does not change the permissions on the existing file as the user could set it to 600 or some other permission manually.

This is a very simple patch. Please review.

Original comment by: dr_mohan

openhpi2 commented 11 years ago

Original comment by: dr_mohan

openhpi2 commented 11 years ago

New patch that applies only to non windows platforms

Original comment by: dr_mohan

openhpi2 commented 11 years ago

status: open --> closed-fixed

Original comment by: dr_mohan

openhpi2 commented 11 years ago

Fixed with checkin #7558

Original comment by: dr_mohan

openhpi2 commented 11 years ago

3.4.0: 3.3.x --> 3.4.0

Original comment by: dr_mohan