Edgewall Software

Ticket #6604 (closed defect: fixed)

Opened 8 months ago

Last modified 7 weeks ago

[PATCH] tracd pidfile is created world-writable

Reported by: olly@… Owned by: remy.blank@…
Priority: high Milestone: 0.11.1
Component: web frontend/tracd Version:
Severity: normal Keywords: security
Cc: remy.blank@…

Description

If tracd is run with -d and --pidfile, then while daemonising the umask is set to 0 and the pidfile is then created with file permissions 0777. This means that any user on the system can change its contents, which could result in a different process being killed if someone does kill -INT `cat pidfile`.

Attachments

configurable-umask.patch (1.7 kB) - added by Remy Blank <remy.blank@…> 7 weeks ago.
Patch against 0.11-stable [7346] making umask configurable, with 022 as default
file-creation-mode-0666.patch (1.0 kB) - added by Remy Blank <remy.blank@…> 7 weeks ago.
Patch against 0.11-stable [7346] setting mode of created files to 0666 instead of 0777

Change History

Changed 5 months ago by cboos

  • keywords security added
  • milestone set to 0.11.1

Seems worth fixing.

Changed 7 weeks ago by Remy Blank <remy.blank@…>

  • cc remy.blank@… added

The problem is even worse: due to the os.umask(0) call in trac.util.daemon.py, any files created by Trac will have 0777 permissions. I don't think this was intended.

I see two possible solutions:

  • Drop the os.umask(0) call and keep the calling umask. The UNIX programming FAQ, section 1.7, point 5 lists this step as optional, to "have complete control over the permissions of anything we write". For tracd, it might make more sense to use the calling umask so that it can be customized by the caller.

  • trac/util/daemon.py

    old new  
    5050 
    5151    # Decouple from parent environment 
    5252    os.chdir('/') 
    53     os.umask(0) 
    5453    os.setsid() 
    5554 
    5655    # Perform second fork 
  • Add a command-line option to pass the desired umask (with a default of e.g. 0644).

Please let me know if the second solution is preferred, and I'll provide a patch.

Changed 7 weeks ago by Remy Blank <remy.blank@…>

A related issue is that files created by Trac using os.open() (attachments, plugins installed by the admin interface) get a default mode of 0777. This means that they are marked as executable. Whereas files created with open() get a default mode of 0666.

This also affects other frontends (CGI, mod_python).

I would suggest passing a 0666 mode to every call to os.open(). There are only two occurrences in 0.11-stable, one in trac/util/__init__.py and one in trac/admin/web_ui.py.

Let me know if you would like me to submit a patch.

Changed 7 weeks ago by cboos

  • owner jonas deleted
  • priority changed from normal to high
  • milestone changed from 0.11.2 to 0.11.1

See also similar issue Django:ticket:6994.

They now use a default value of 022 for the umask and have it configurable. I'd say for Trac, changing the default would be enough.

Changed 7 weeks ago by Remy Blank <remy.blank@…>

Patch against 0.11-stable [7346] making umask configurable, with 022 as default

Changed 7 weeks ago by Remy Blank <remy.blank@…>

Patch against 0.11-stable [7346] setting mode of created files to 0666 instead of 0777

Changed 7 weeks ago by Remy Blank <remy.blank@…>

  • summary changed from tracd pidfile is created world-writable to [PATCH] tracd pidfile is created world-writable

Changed 7 weeks ago by cboos

  • owner set to remy.blank@…

Changed 7 weeks ago by cboos

  • status changed from new to closed
  • resolution set to fixed

Patches applied in r7358 and r7359. Thanks!

Add/Change #6604 ([PATCH] tracd pidfile is created world-writable)

Author



Change Properties
<Author field>
Action
as closed
Next status will be 'reopened'
 
Note: See TracTickets for help on using tickets.