 |
|
Item15135: directories in working directory are created as world writable 777 permissions
Priority: Security
Current State: Closed
Released In: 2.1.8
Target Release: patch
Current State: Closed
Released In: 2.1.8
Target Release: patch
Applies To: Engine
Component: Foswiki::Func
Branches: Release02x01 master
Component: Foswiki::Func
Branches: Release02x01 master
foswiki/working/ and /foswiki/working/work_areas/= are created with 777 permissions, allowing their contents to be read and written by all users on the server. This has potential of permitting injection of data into Foswiki responses, or allow snooping of private data cached by Foswiki.
1594001 264 drwxrwxrwx 2 www-data www-data 270336 May 20 00:13 ./working/cache 1720554 4 drwxrwxrwx 2 www-data www-data 4096 May 14 21:53 ./working/work_areas/ClassificationPlugin 1720450 4 drwxrwxrwx 2 www-data www-data 4096 May 21 21:57 ./working/work_areas/FlexWebListPlugin 1707259 4 drwxrwxrwx 2 www-data www-data 4096 May 14 10:39 ./working/work_areas/CaptchaPlugin 1707370 4 drwxrwxrwx 10 www-data www-data 4096 May 21 21:56 ./working/work_areas/DBCacheContrib/segments 1715079 4 drwxrwxrwx 3 www-data www-data 4096 Nov 30 2019 ./working/work_areas/ImagePlugin 1715080 4 drwxrwxrwx 3 www-data www-data 4096 Nov 30 2019 ./working/work_areas/ImagePlugin/cache 1715081 4 drwxrwxrwx 18 www-data www-data 4096 Nov 30 2019 ./working/work_areas/ImagePlugin/cache/Default 1714739 4 drwxrwxrwx 3 www-data www-data 4096 May 1 21:04 ./working/work_areas/CacheContribThe default
{Store}{dirPermission} is 0x755 which if applied to workarea directories, that would be an improvement, but it would probably be better if there was an explicit setting for working.
The Foswiki::Func::saveFile() makes no reference to file or directory permissions. Foswiki::Store::getWorkArea()= creates the directory if it doesn't exist using mkdir($dir). It should probably be coded similar to PlainFile's _mkPathTo
-- GeorgeClark - 23 May 2022
The default value for dirPermissions actually is 0755 which is an octal value, whereas 0x755 is a hex value... Could you please double check your config?
-- MichaelDaum - 23 May 2022
Yeah that's just a typo the task itself. Configure shows 0755 and $Foswiki::cfg{Store}{dirPermission} = 493; which is indeed 0755 octal.
Digging a bit more, it's the directories that are being created as 0777. not files. Files are okay. So it's not as severe an exposure that I can tell. But still it's not good practice for anything to be world readable/writable. Cache files cannot be changed but however unlikely, new files could be introduced into the cache.
I tried changing the default umask in the init-script when foswiki.fcgi is started, but that appears to have had no impact.
-- GeorgeClark - 23 May 2022
Hm, just did a fresh install with above settings:
www-data@foswiki:~/foswiki$ ls -la working/work_areas/UpdatesPlugin/ total 140 drwxrwxr-x 2 www-data www-data 4096 Jun 17 15:55 . drwxr-xr-x 3 www-data www-data 4096 Jun 17 15:55 .. -rw-rw-r-- 1 www-data www-data 132 Jun 17 15:55 AutoViewTemplatePlugin -rw-rw-r-- 1 www-data www-data 178 Jun 17 15:55 CommentPlugin ...So dirs and files seem to be fine here ... -- MichaelDaum - 17 Jun 2022 What are the permissions in the working/workareas directory. Not the files in the UpdatesPlugin directory.
Foswiki::Func::getWorkArea() calls Foswiki::getWorkArea which calls Store::getWorkArea(). That code is as follows:
unless ( -d $dir ) {
mkdir($dir) || throw Error::Simple(<<ERROR);
Failed to create $key work area. Check your setting of {WorkingDir}
in =configure=.
ERROR
}
return $dir;
}
So the $dir is created using whatever system default umask is in effect. For whatever reason, on my system, Ubuntu 18.04 w/ nginx, those directories are created with world read/write permission
~$ ls -la /var/www/(site)/working/work_areas/ total 280 drwxrwx--- 15 www-data www-data 4096 Jun 11 23:24 . drwxrwx--- 8 www-data www-data 4096 Jun 12 00:17 .. drwxrwxrwx 3 www-data www-data 4096 Jun 11 22:44 CacheContrib drwxrwxrwx 2 www-data www-data 4096 Jun 11 23:24 CaptchaPlugin drwxrwxrwx 2 www-data www-data 4096 Jun 11 22:44 ClassificationPlugin ...The
Foswiki::Store::PlainFile::_mkPathTo() is explicit in its permissions
eval {
File::Path::mkpath( $path, 0, $Foswiki::cfg{Store}{dirPermission} );
};
if ($@) {
die("PlainFile: failed to create ${path}: $!");
}
}
This seems to be a better solution.
-- GeorgeClark - 17 Jun 2022
ItemTemplate edit
| Summary | directories in working directory are created as world writable 777 permissions |
| ReportedBy | GeorgeClark |
| Codebase | 2.1.7 |
| SVN Range | |
| AppliesTo | Engine |
| Component | Foswiki::Func |
| Priority | Security |
| CurrentState | Closed |
| WaitingFor | |
| Checkins | distro:52f8173b37b4 distro:227f491d69bc |
| TargetRelease | patch |
| ReleasedIn | 2.1.8 |
| CheckinsOnBranches | Release02x01 master |
| trunkCheckins | |
| masterCheckins | distro:227f491d69bc |
| ItemBranchCheckins | |
| Release02x01Checkins | distro:52f8173b37b4 |
| Release02x00Checkins | |
| Release01x01Checkins |
Edit | Attach | Print version | History: r8 < r7 < r6 < r5 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r8 - 06 Aug 2023, MichaelDaum
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. 
Legal Imprint Privacy Policy
Legal Imprint Privacy Policy