Bug 4070 – File cache world writable

Bug 4070 - File cache world writable

Summary:

File cache world writable

Status:	RESOLVED WORKSFORME

Product:	Logitech Media Server
Classification:	Unclassified
Component:	Misc
Version:	6.5b1
Platform:	PC Linux (other)

Importance:	P2 minor (vote)
Target Milestone:	---
Assigned To:	Chris Owens

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2006-09-09 02:47 UTC by rob.macgregor
Modified:	2011-03-16 04:19 UTC (History)
CC List:	1 user (show)

See Also:
Category:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description rob.macgregor 2006-09-09 02:47:21 UTC

I've been seeing an odd "problem" with 6.5b1 - the permissions of the files in the FileCache are world writable, and generally unusual:

-r-xrw-rwx    1 slimd    slimd         899 Sep  8 10:46 000321b29b8cd78367a440127fcfc695e5dd3467*

This causes the nightly Mandrake security scan looking for world writable files to generate a lot of lines of output :)

The umask of the user slimserver starts as is 0022 and other files aren't created world writable.

Set as minor because it's probably not a significant problem.

Comment 1 Andy Grundman 2006-09-09 04:12:22 UTC

Fixed in change 9520.

Comment 2 rob.macgregor 2006-09-17 03:18:54 UTC

Still visible in 6.5b3 (9697):

 15963    4 -r-xrw-rwx   1 slimd    slimd         785 Sep 16 10:29 Cache/FileCache/7/b/c/7bcbb1c8ebb6950a53c0028d5e5e4f1512721b64
  8944    4 -r-xrw-rwx   1 slimd    slimd         708 Sep 17 10:01 Cache/FileCache/7/b/d/7bdd0cb8a8399418bb19c4bacb883ec265d020ae
  8977   12 -r-xrw-rwx   1 slimd    slimd        9902 Sep 17 10:07 Cache/FileCache/7/b/d/7bd77871f7eec0807f4afa477c0e16fe84df2e99
 38570    4 -r-xrw-rwx   1 slimd    slimd         932 Sep 17 10:06 Cache/FileCache/7/b/f/7bf5369290305b842b8f267da85fc78d8fee32fc

Mandrake 9.1, Perl 5.8.8 (from source).

This is with a fresh install.

Comment 3 Andy Grundman 2006-09-17 09:01:24 UTC

What is your umask set to?  Here's how it looks for me with umask of 0022:

Directory:
drwxr-xr-x    7 andy     andy          238 Sep 17 12:00 FileCache

All cache items:
-rw-r--r--    1 andy     andy       109248 Sep 17 12:00 FileCache/2/8/c/28cf0135e7fd4b6c279ea7aeacbb8eca00ceffb7

Comment 4 rob.macgregor 2006-09-17 10:05:39 UTC

Subject: Re:  File cache world writable

On 9/17/06, Slim Devices Bugzilla <bugs@bugs.slimdevices.com> wrote:
> https://bugs-archive.lyrion.org/show_bug.cgi?id=4070
>
> ------- Comment #3 from andy@slimdevices.com  2006-09-17 09:01 -------
> What is your umask set to?  Here's how it looks for me with umask of 0022:

Umask is 0077.

Comment 5 Dan Sully 2006-09-18 11:01:52 UTC

Rob - the original bug here is fixed. You'll need to change your umask to have the directory created with the permissions you desire.

Comment 6 Andy Grundman 2006-09-18 11:06:41 UTC

FYI, umask 0077 for me produces the following results on OSX:

Dir:
drwx------    7 andy     andy          238 Sep 18 14:03 FileCache

A cache file:
-r-xrw-rwx    1 andy     andy       109248 Sep 18 14:03 28cf0135e7fd4b6c279ea7aeacbb8eca00ceffb7

But the directory containing this file is:
drwx------    3 andy     andy          102 Sep 18 14:03 c

So this should still be secure.  

Note that there is nothing sensitive stored in our cache files, it's mostly used to cache HTTP pages, XML data, etc.

Comment 7 rob.macgregor 2006-09-18 11:16:45 UTC

Subject: Re:  File cache world writable

On 9/18/06, Slim Devices Bugzilla <bugs@bugs.slimdevices.com> wrote:
> https://bugs-archive.lyrion.org/show_bug.cgi?id=4070
>
> ------- Comment #5 from dan@slimdevices.com  2006-09-18 11:01 -------
> Rob - the original bug here is fixed. You'll need to change your umask to have
> the directory created with the permissions you desire.

Uh huh?  So, with a umask of 0077 you expect files to be created world
writable?  I'd expect only the owner to have access!

The directories are fine:

 66873    0 drwx------   2 slimd    slimd         104 Sep 18 11:55 ./0/c/0

It's the files that are world writable:

 66058    4 -r-xrw-rwx   1 slimd    slimd         977 Sep 18 11:55
./0/c/0/0c022eab1b410d188e198035e7aa12c0b63149f3

<Shrug> I can't really object if you want to close it, but it *is*
still generating world writable *files*, it's just the directories
that no longer suffer that problem.  Admittedly you'd have to know the
file name for it to be a real problem, but I'm picky that way (and I'd
have to question why the files need to be world writable).

Comment 8 rob.macgregor 2006-09-18 11:25:42 UTC

Subject: Re:  File cache world writable

On 9/18/06, Slim Devices Bugzilla <bugs@bugs.slimdevices.com> wrote:
> https://bugs-archive.lyrion.org/show_bug.cgi?id=4070
>
> ------- Comment #6 from andy@slimdevices.com  2006-09-18 11:06 -------
> FYI, umask 0077 for me produces the following results on OSX:
>
> Dir:
> drwx------    7 andy     andy          238 Sep 18 14:03 FileCache
>
> A cache file:
> -r-xrw-rwx    1 andy     andy       109248 Sep 18 14:03
> 28cf0135e7fd4b6c279ea7aeacbb8eca00ceffb7
>
> But the directory containing this file is:
> drwx------    3 andy     andy          102 Sep 18 14:03 c

Confirms what I'm seeing, which isn't what I'd expect from the umask
(but does at least confirm that I'm not going crazy :>).

> So this should still be secure.
>
> Note that there is nothing sensitive stored in our cache files, it's mostly
> used to cache HTTP pages, XML data, etc.

Yeah.  I can't think of any non-trivial way of exploiting it with a
umask of 0077.  I'd be more concerned about systems running with
lesser umasks.

After all, it's not just what's written to them, but what you could do
when they're read back in :-) (though if anybody is stupid enough to
run the slimserver as root then that's their own fault).

As I said, I can't really object to the bug being closed, locking down
the directories is good enough after all.