diff options
| author | David Oberhollenzer <david.oberhollenzer@sigma-star.at> | 2020-05-03 01:43:11 +0200 |
|---|---|---|
| committer | David Oberhollenzer <david.oberhollenzer@sigma-star.at> | 2020-05-03 01:43:11 +0200 |
| commit | 4f08666b8aafe66d4786158c8f26dec1c540893b (patch) | |
| tree | ed76d353aed4601d7075dab978c8d0e4c5ecf350 | |
| parent | 0ef91d8ffc4d9eecf5733b4dd173ccebad6c00d6 (diff) | |
Fix: use 0644 as default permissions when creating files
Until now, when packing or unpacking a SquashFS image, files where
created with paranoid permissions (i.e. 0600). The rational behind
this was that otherwise, the tools may inadvertently expose secrets,
e.g. if a root user packs files that that aren't world readable,
such as the /etc/shadows file, but the packed SquashFS image is, we
have accidentally leaked this file to other users that can access
the newly created SquashFS image. The same line of reasoning also
applies when unpacking files.
Unfortunately, this breaks a list of other, more common standard use
cases (e.g. a build server where the an image is built by a deamon
running as user X but then has to be accessed by another deamon
running as Y).
This commit changes to a more standard approach of using permissive
file permissions by default and asking paranoid users to simply use
a paranoid umask.
For tar2sqfs & gensquashfs this simply means chaning the default
permissions in the libsquashfs file implementation.
For rdsquashfs on the other hand there is still the use case where
the unpacked files get the permissions from the [secret] image, so
setting a strict umask is not applicable and changing to permissive
file mode leaks something. For this case a second code path needs to
be added that derives the permissions from the ones in the image.
Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
| -rw-r--r-- | bin/rdsquashfs/restore_fstree.c | 17 | ||||
| -rw-r--r-- | lib/sqfs/unix/io_file.c | 2 |
2 files changed, 13 insertions, 6 deletions
diff --git a/bin/rdsquashfs/restore_fstree.c b/bin/rdsquashfs/restore_fstree.c index 8f99439..e79f333 100644 --- a/bin/rdsquashfs/restore_fstree.c +++ b/bin/rdsquashfs/restore_fstree.c @@ -7,10 +7,11 @@ #include "rdsquashfs.h" #ifdef _WIN32 -static int create_node(const sqfs_tree_node_t *n, const char *name) +static int create_node(const sqfs_tree_node_t *n, const char *name, int flags) { WCHAR *wpath; HANDLE fh; + (void)flags; wpath = path_to_windows(name); if (wpath == NULL) @@ -43,10 +44,10 @@ fail: return -1; } #else -static int create_node(const sqfs_tree_node_t *n, const char *name) +static int create_node(const sqfs_tree_node_t *n, const char *name, int flags) { sqfs_u32 devno; - int fd; + int fd, mode; switch (n->inode->base.mode & S_IFMT) { case S_IFDIR: @@ -88,7 +89,13 @@ static int create_node(const sqfs_tree_node_t *n, const char *name) } break; case S_IFREG: - fd = open(name, O_WRONLY | O_CREAT | O_EXCL, 0600); + if (flags & UNPACK_CHMOD) { + mode = (n->inode->base.mode & ~S_IFMT) | 0200; + } else { + mode = 0644; + } + + fd = open(name, O_WRONLY | O_CREAT | O_EXCL, mode); if (fd < 0) { fprintf(stderr, "creating %s: %s\n", @@ -131,7 +138,7 @@ static int create_node_dfs(const sqfs_tree_node_t *n, int flags) if (!(flags & UNPACK_QUIET)) printf("creating %s\n", name); - ret = create_node(n, name); + ret = create_node(n, name, flags); free(name); if (ret) return -1; diff --git a/lib/sqfs/unix/io_file.c b/lib/sqfs/unix/io_file.c index 52fc94b..d4c1232 100644 --- a/lib/sqfs/unix/io_file.c +++ b/lib/sqfs/unix/io_file.c @@ -168,7 +168,7 @@ sqfs_file_t *sqfs_open_file(const char *filename, sqfs_u32 flags) } } - file->fd = open(filename, open_mode, 0600); + file->fd = open(filename, open_mode, 0644); if (file->fd < 0) { temp = errno; free(file); |