Closed
Bug 561797
(CVE-2010-0180)
Opened 15 years ago
Closed 14 years ago
[SECURITY] checksetup.pl with $use_suexec=1 sets localconfig as world readable
Categories
(Bugzilla :: Installation & Upgrading, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 3.6
People
(Reporter: dgp-bz, Assigned: mkanat)
References
Details
(Keywords: regression, Whiteboard: [doesn't affect 3.4.x or older])
Attachments
(1 file, 8 obsolete files)
1.54 KB,
patch
|
timello
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.1.9) Gecko/20100330 Fedora/3.5.9-2.fc12 Firefox/3.5.9
Build Identifier: 3.6
localconfig is set as world readable (0644) by checksetup.pl's "fixing permissions" section if $suexec is enabled.
Reproducible: Always
Steps to Reproduce:
1. Extract bugzilla 3.6
2. Run ./checksetup.pl to generate localconfig
3. Edit localconfig setting suexec=1 (and other necessary details)
4. Run ./checksetup.pl again
Actual Results:
$ ls -l localconfig
-rw-r--r-- 1 bugzilla bugzilla 5638 2010-04-26 03:33 localconfig
Expected Results:
$ ls -l localconfig
-rw-r----- 1 bugzilla bugzilla 5638 2010-04-26 03:33 localconfig
Although the webserver is stopped from serving localconfig via .htaccess (if $create_htaccess = 1) this will not stop other users with shell access gaining the database password.
Comment 1•15 years ago
|
||
The only files that need to be readable by the webserver are the files that are directly served by the webserver (i.e. html, css, javascript, etc). Files which are only data files for the CGI scripts only need to be readable by the CGI scripts (thus the bugzilla user in this case)
There appears not to be any mechanism for this situation in Bugzilla/Install/Filesystem.pm ... localconfig must be group readable to the webservergroup when not using suexec or the webserver can't read it at all. Sounds like we need an additional category to put files into which are considered non-served data files.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee | ||
Comment 2•15 years ago
|
||
Okay. There are actually some other changes that need to be made to the set of permissions in Filesystem.pm, so I can do this.
Target Milestone: --- → Bugzilla 3.6
Assignee | ||
Updated•15 years ago
|
Hardware: x86 → All
Summary: checksetup.pl with $suexec=1 sets localconfig as world readable → checksetup.pl with $suexec=1 sets localconfig as world readable (suexec permissions have several problems)
Assignee | ||
Comment 3•15 years ago
|
||
Okay, I decided to overhaul the permissions system in general. This was the only reasonable way that I could get secure suexec permissions on all files and still get everything working. You'll notice that this patch contains a *lot* of changes--I don't think I can split them out and still get a secure system under both suexec and non-suexec.
Note that I don't care that much about the security of installations that don't specify a $webservergroup, so they will still be relatively insecure.
Here's a list of some important changes:
* All the permission types are now constants, so they can be accessed from
outside of Filesystem.pm, and because they really should be constants anyway.
* I added a bunch of new permission types, to differentiate between files
that the webserver serves, and files that cgi scripts read or write to.
* I added a constant DIR_ALSO_WS_SERVE, which can be OR'ed into any
directory permission type to indicate that cgis write to that directory
but then its contents are directly served to the user. I did this instead
of adding a new constant, because I would have had to add two new constants
that would have been hard to name, and probably confusing. This is pretty
readable.
* Before this patch, the "web" directory in extensions probably wasn't working
under suexec. This patch makes the "web" directory an official part of
extensions and makes Filesystem.pm correctly set permissions on it. It also
sets permissions on the rest of the extension much more tightly.
* The default permission of files in the Bugzilla root directory is now
OWNER_READ instead of the former $ws_readable. This should be a more secure
default--now we have to explicitly specify any file that we want the webserver
to be able to read, in the root dir.
* I fixed the suexec problems with dependency graphs. Once those permissions
were fixed, I noticed that files in data/webdot were world-readable, so
I added some code to fix their permissions properly while
showdependencygraph runs, and delete the png file briefly after the script
finishes. (And always delete the .map and .dot files, because we don't need
those once the cgi is done.)
* Old Charts are also world-readable under suexec, but I think those are
basically public information anyway, so I'm not so concerned about it.
Also, it would be much more complicated to delete them after a period
of time, because they have fixed names (they aren't regenerated on
every hit).
* I added permission-setting for the .bzr dir. I've made it OWNER_WRITEABLE.
It's hard to say whether or not somebody would put anything secure in there,
but it's always possible that their bzr history is private.
Assignee | ||
Comment 4•15 years ago
|
||
Oh, actually, I realized that I could simply make ALSO_WS_SERVE into 00001 and then people couldn't list the data/webdot directory, but the webserver could still serve files from it, because we always know the names of the files we're serving. So this eliminated the need for the unlinking in showdependencygraph.cgi (it's unlikely anybody's going to guess the names of our temp files).
Attachment #441701 -
Attachment is obsolete: true
Attachment #441702 -
Flags: review?(LpSolit)
Attachment #441701 -
Flags: review?(LpSolit)
Comment 5•15 years ago
|
||
ok, at first glance most of this looks good to me. I have a couple issues with the showdependencygraph stuff though.
In %create_dirs:
+ $webdotdir => DIR_CGI_WRITE,
That should be | DIR_ALSO_WS_SERVE, right?
The "wait 5 seconds before exiting" thing sounds hoaky to me. Some user-agents might wait for the connection to close downloading the initial page before they start loading images, which would make it moot. Pretty sure the major browsers aren't among those, but still... don't we already have a cleanup for this directory somewhere? (cleans stuff over a certain age?). If this is a concern, we should make the time shorter on that instead of doing it here.
If we do leave the unlink here, the .map file is served to the user-agent, so you need to use $unlink_png on the UNLINK for that one, also, otherwise it won't be there when the user-agent comes back for it. It also needs to have WS_SERVE permissions, regardless whether we unlink it or not when we're done.
Comment 6•15 years ago
|
||
the above comment midaired with your second attachment, so anything you already fixed can be ignored. :)
Assignee | ||
Comment 7•15 years ago
|
||
Ah, thanks for catching all that. This one fixes all the stuff justdave just pointed out.
Attachment #441702 -
Attachment is obsolete: true
Attachment #441703 -
Flags: review?(LpSolit)
Attachment #441702 -
Flags: review?(LpSolit)
Comment 8•15 years ago
|
||
(In reply to comment #5)
> In %create_dirs:
>
> + $webdotdir => DIR_CGI_WRITE,
>
> That should be | DIR_ALSO_WS_SERVE, right?
Same for 'graphs' immediately above it (sorry I didn't catch that one before)
Comment 9•15 years ago
|
||
So if I understand correctly, this leak is new in Bugzilla 3.6 and is due to bug 123165? In that case, I suppose this blocks 3.6.1?
Comment 10•15 years ago
|
||
Assuming bug 123165 is indeed the culprit, Bugzilla 3.5.1 and newer are affected.
Summary: checksetup.pl with $suexec=1 sets localconfig as world readable (suexec permissions have several problems) → [SECURITY] checksetup.pl with $suexec=1 sets localconfig as world readable (suexec permissions have several problems)
Version: unspecified → 3.5.1
Comment 11•15 years ago
|
||
Attachment #441703 -
Flags: review?(LpSolit) → review-
Assignee | ||
Comment 12•15 years ago
|
||
Note that in most SUExec environments (shared hosting) other users can't get at your files anyway, so this is not extremely critical.
Assignee | ||
Comment 13•15 years ago
|
||
Okay, fixed the default permissions of "graphs".
Attachment #441703 -
Attachment is obsolete: true
Attachment #441861 -
Flags: review?(justdave)
Attachment #441861 -
Flags: review?(LpSolit)
Comment 15•15 years ago
|
||
Comment on attachment 441861 [details] [diff] [review]
v4 (bundle)
Looks good.
Attachment #441861 -
Flags: review?(justdave) → review+
Assignee | ||
Updated•15 years ago
|
Attachment #441861 -
Flags: review?(LpSolit)
Assignee | ||
Comment 16•15 years ago
|
||
Okay, so we have somewhat of a dilemma here: this is kind of a huge refactoring that's somewhat hard to test. I've tested it fairly thoroughly, but when you mess with permissions, it's hard to say what's going to break on people's installs.
We have a few options:
1. Don't fix this in the 3.6 branch, and just warn people about it. This would still give 3.6 suexec support than 3.4 and earlier had.
2. Check this in on trunk only, let it "bake" for a while, and if things are OK, then backport it to a later 3.6 release.
3. Check this in to the 3.6 branch and risk breakage.
4. Do a backport that only fixes the localconfig issue. I think that this might be silly, because there are probably lots of other important files that should also be protected. But it's a possibility.
I'm most in favor of #1 or #4.
LpSolit and/or justdave?
Flags: approval?
Comment 17•15 years ago
|
||
(In reply to comment #16)
> 4. Do a backport that only fixes the localconfig issue.
> I'm most in favor of #1 or #4.
I'm in favor of #4 too. That's the single critical file which contains passwords and other sensitive data (I think data/params is already correctly protected, right?).
Assignee | ||
Comment 18•15 years ago
|
||
Okay, here is a super-simple patch for 3.6.
Attachment #445404 -
Flags: review?(LpSolit)
Updated•15 years ago
|
Attachment #445404 -
Flags: review?(LpSolit) → review+
Comment 19•15 years ago
|
||
Comment on attachment 445404 [details] [diff] [review]
3.6 v1
Looks good (untested). r=LpSolit
Updated•15 years ago
|
Flags: approval3.6?
Comment 20•15 years ago
|
||
Comment on attachment 441861 [details] [diff] [review]
v4 (bundle)
OK, this patch breaks installations using the PROJECT environment variable. I have two localconfig files in the same bugzilla/ directory: the default one named localconfig, and the one used by PROJECT=foo named localconfig.foo. When running checksetup.pl, it sets permissions to 640 for the localconfig file corresponding to the PROJECT env variable, setting the other one to 400, making it unreadable by the web server, and so breaking all other installations.
Attachment #441861 -
Flags: review-
Comment 21•15 years ago
|
||
I guess the backport for 3.6 doesn't have this problem?
Flags: approval?
Flags: approval3.6?
Assignee | ||
Updated•15 years ago
|
Blocks: CVE-2010-3764
Assignee | ||
Comment 22•15 years ago
|
||
Okay, I fixed the localconfig $PROJECT problem, and I also eliminated DIR_OWNER_READ, because it was preventing me from using "bzr up" (because I couldn't write to certain directories).
Attachment #441861 -
Attachment is obsolete: true
Attachment #446972 -
Flags: review?(LpSolit)
Assignee | ||
Comment 23•15 years ago
|
||
I also eliminated OWNER_READ--it was problematic on docs/bugzilla.ent, and I think we didn't really need it. Using OWNER_WRITE is fine.
Attachment #446972 -
Attachment is obsolete: true
Attachment #446974 -
Flags: review?(LpSolit)
Attachment #446972 -
Flags: review?(LpSolit)
Assignee | ||
Comment 24•15 years ago
|
||
Oops, accidentally included an unnecessary change to a contrib/ file.
Attachment #446974 -
Attachment is obsolete: true
Attachment #446975 -
Flags: review?(LpSolit)
Attachment #446974 -
Flags: review?(LpSolit)
Assignee | ||
Updated•15 years ago
|
Attachment #446975 -
Flags: review?(justdave)
Assignee | ||
Comment 25•15 years ago
|
||
Okay, I've decided that I'm just going to give this security bug a simple fix, here, and then I will do the major refactoring in a separate bug.
This is basically the "3.6 fix" from above, but taking into account the PROJECT problem. It should apply to both trunk and the 3.6 branch.
Attachment #445404 -
Attachment is obsolete: true
Attachment #446975 -
Attachment is obsolete: true
Attachment #452951 -
Flags: review?(timello)
Attachment #446975 -
Flags: review?(justdave)
Attachment #446975 -
Flags: review?(LpSolit)
Assignee | ||
Updated•15 years ago
|
No longer blocks: CVE-2010-3764
Assignee | ||
Updated•15 years ago
|
Summary: [SECURITY] checksetup.pl with $suexec=1 sets localconfig as world readable (suexec permissions have several problems) → [SECURITY] checksetup.pl with $suexec=1 sets localconfig as world readable
Comment 26•14 years ago
|
||
Comment on attachment 452951 [details] [diff] [review]
v8 (simple fix)
It looks ok. I didn't test it for multiple projects though, but it should ok as it works for a single project.
Attachment #452951 -
Flags: review?(timello) → review+
Updated•14 years ago
|
Flags: approval?
Assignee | ||
Updated•14 years ago
|
Flags: approval3.6?
Assignee | ||
Updated•14 years ago
|
Flags: approval?
Flags: approval3.6?
Flags: approval3.6+
Flags: approval+
Assignee | ||
Comment 27•14 years ago
|
||
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified Bugzilla/Install/Filesystem.pm
Committed revision 7245.
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/3.6/
modified Bugzilla/Install/Filesystem.pm
Committed revision 7111.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Summary: [SECURITY] checksetup.pl with $suexec=1 sets localconfig as world readable → [SECURITY] checksetup.pl with $use_suexec=1 sets localconfig as world readable
Comment 29•14 years ago
|
||
(In reply to comment #3)
> * I fixed the suexec problems with dependency graphs. Once those permissions
> were fixed, I noticed that files in data/webdot were world-readable, so
> I added some code to fix their permissions properly while
> showdependencygraph runs, and delete the png file briefly after the script
> finishes. (And always delete the .map and .dot files, because we don't need
> those once the cgi is done.)
...
> * I added permission-setting for the .bzr dir. I've made it OWNER_WRITEABLE.
> It's hard to say whether or not somebody would put anything secure in there,
> but it's always possible that their bzr history is private.
These two issues are now classified as CVE-2010-2470 and have been filed separately as bug 576060.
Comment 30•14 years ago
|
||
Does this bug affect 3.4.5 or can I conclude from the detailed list of affected versions that it doesn't?
Comment 31•14 years ago
|
||
(In reply to comment #30)
> Does this bug affect 3.4.5 or can I conclude from the detailed list of affected
> versions that it doesn't?
3.4.5 is not affected. The first affected version is 3.5.1.
You need to log in
before you can comment on or make changes to this bug.
Description
•