Re: Question about world readable config files and commented warnings

[vladz <vladz () devzero fr>]

On Tue, Jun 30, 2015 at 08:31:08AM -0600, Kurt Seifried wrote:
> From a developer perspective I somewhat agree, however I'm looking at
> this from a vendor perspective where we do control the chmod, easily
> (RPM spec file).

I don't know if this is relevant, but I also regularly find applications
that, during their installation phases, set the correct permissions to
sensitive files (600 for instance) but in a insecure manner, i.e. they:

    1) create the file (perms will depend on root umask, usually 022)
    2) restrict its permissions (chmod 600)
    3) open the file and write sensitive content in it

I won't paraphrase this post [1], but chmod 600 on a file isn't sufficient
to preserve a file content on a multiuser system: a local user can open the
file in read-only right after 1) to obtain a file descriptor, and use it
for later content disclosure after 3).

We all know that a better way to create the file would be to set the
adequate umask first.  But the above steps can be found in initialization
and installation scripts (I can share a non-exhaustive list if wished).  I
also wouldn't recommend the use of "-m 600" in the "install" command as it
has the same problem:

    # touch f1
    # strace install -m 600 f1 f2
    [...]
    open("f2", O_WRONLY|O_CREAT|O_EXCL, 0644) = 4 // here f2 is readable
    chmod("f2", 0600)                         = 0

Regards,
vladz.

  [1] http://www.openwall.com/lists/oss-security/2013/08/20/13