#1806 uid_map created as world writable - a security risk

3.4.0
closed-fixed
dr_mohan
5
2014-05-08
2013-08-02
dr_mohan
No

uid_map file is created as world writable which may be a security risk.
Some input provided by Anton are

It is a reasonable concern. Guess we should create bug ticket for this.

There are two workarounds:

1) it is possible to run openhpi daemon without using uid_map.
2) it is possible to set uid_map file location other than /tmp or /var.

    Anton Pak

The file should be less than or equal to 644.

3 Attachments

Discussion

  • Tariq Shureih
    Tariq Shureih
    2013-08-02

    *ATTENTION**
    This account is disabled and is no longer accessed by the recipient.
    Please remove it from your address book.

    Thanks

     
  • dr_mohan
    dr_mohan
    2013-09-19

    The patch is uploaded. It creates the uid_map file with 644 permission (umask set to 022). It does not change the permissions on the existing file as the user could set it to 600 or some other permission manually.

    This is a very simple patch. Please review.

     
  • dr_mohan
    dr_mohan
    2013-09-19

     
  • dr_mohan
    dr_mohan
    2013-09-24

     
  • dr_mohan
    dr_mohan
    2013-09-24

    New patch that applies only to non windows platforms

     
  • dr_mohan
    dr_mohan
    2013-09-30

    • status: open --> closed-fixed
     
  • dr_mohan
    dr_mohan
    2013-09-30

    Fixed with checkin #7558

     
  • dr_mohan
    dr_mohan
    2013-10-21

    • 3.4.0: 3.3.x --> 3.4.0