[Pkg-gnutls-maint] Bug#373169: Bug#373169: please set permissions on key output to 600

Daniel Kahn Gillmor dkg-debian.org at fifthhorseman.net
Fri May 16 17:07:38 UTC 2008


On Fri 2008-05-16 08:44:35 -0400, martin f krafft wrote:

> also sprach Simon Josefsson <simon at josefsson.org> [2008.05.16.1328 +0100]:
>> Hi!  I've fixed this problem upstream in:
>> 
>> http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=1f808bbed485731d69a8c37509487632674c7d52
>
> Looks good. I am glad you chmod() before dumping the content. :)

It's defintely better to chmod before dumping content than not, but i
think this leaves an (admittedly small) window for an attacker to grab
a file descriptor before the file is chmodded.

Better would be to call umask(S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH) before
opening the output file (and set it back afterward, if you care).

in certtool.c, that seems to happen in the argument parser, though, so
i'm not sure if you can know what umask is needed before the output
file is opened (e.g. we don't know if we're generating a certificate
or a private key).  Maybe the file should be opened after all argument
processing to allow for setting a proper umask?

For an exaggerated demonstration of the problem: build and run
chmodvumask [0] with a non-existent filename as an argument, and hook
a tail -f process into that file as a different user within the 10
second window, the text written to the chmod'ed file will be readable
by the other user.

hth,

   --dkg

[0] http://cmrg.fifthhorseman.net/browser/trunk/test/chmodvumask/chmodvumask.c
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20080516/afa1aec1/attachment.pgp 


More information about the Pkg-gnutls-maint mailing list