#546 A security hole on afp.conf, when MySQL is CNID backend

[Oichinokata]

To use MySQL as CNID backend, afp.conf is written as follows.

[Global]
cnid mysql host = localhost
cnid mysql user = <mysql_user>
cnid mysql pw = <mysql_password>
cnid mysql db = <mysql_database_name></mysql_database_name></mysql_password></mysql_user>

[afp volume]
path = /exports/netatalk
cnid scheme = mysql

afp.conf contains a clear text password for MySQL.
I'd like to prevent the password from non-root users, so I executed "chmod 600 afp.conf".
However, it does not work well.
afpd will run as user's ID when an user connects from OS X, so afpd cannot read afp.conf.

Of course, when afp.conf is 644, it works well.

I think it is a security hole on afp.conf, when MySQL is CNID backend.

A sample patch is attached.

[Oichinokata]

Sorry, sample of afp.conf was corrupted. Therefore, re-send it.

[Global]
cnid mysql host = localhost
cnid mysql user = {MySQL_user}
cnid mysql pw = {MySQL_password}
cnid mysql db = {MySQL_database_name}

[afp volume]
path = /exports/netatalk
cnid scheme = mysql

[Ralph Böhme]

This seems to be missing a become_root() around

    fd = open(obj->options.configfile, O_RDONLY);

on line 1399 in the same file.

[Daniel Markstedt]

By following Ralph's advice, the complete patch would look like this:

diff --git a/libatalk/util/netatalk_conf.c b/libatalk/util/netatalk_conf.c
index d2d16ca9..43306065 100644
--- a/libatalk/util/netatalk_conf.c
+++ b/libatalk/util/netatalk_conf.c
@@ -1624,7 +1624,9 @@ int load_volumes(AFPObj *obj, lv_flags_t flags)

     /* try putting a read lock on the volume file twice, sleep 1 second if first attempt fails */

+    become_root();
     fd = open(obj->options.configfile, O_RDONLY);
+    unbecome_root();

     while (retries < 2) {
         if ((read_lock(fd, 0, SEEK_SET, 0)) != 0) {
@@ -1643,7 +1645,9 @@ int load_volumes(AFPObj *obj, lv_flags_t flags)
     if (obj->iniconfig)
         atalk_iniparser_freedict(obj->iniconfig);
     LOG(log_debug, logtype_afpd, "load_volumes: loading: %s", obj->options.configfile);
+    become_root();
     obj->iniconfig = atalk_iniparser_load(obj->options.configfile);
+    unbecome_root();

     EC_ZERO_LOG( readvolfile(obj, pwresult) );

@@ -2007,7 +2011,10 @@ int afp_config_parse(AFPObj *AFPObj, char *processname)
     options->uuidconf    = strdup(_PATH_STATEDIR "afp_voluuid.conf");
     options->flags       = OPTION_UUID | AFPObj->cmdlineflags;

-    if ((config = atalk_iniparser_load(AFPObj->options.configfile)) == NULL)
+    become_root();
+    config = atalk_iniparser_load(AFPObj->options.configfile);
+    unbecome_root();
+    if (config == NULL)
         return -1;
     AFPObj->iniconfig = config;

I don't have a mysql setup to test against right now however.

[Daniel Markstedt]

Actually, so for testing I figured that I can just validate that afpd is able to read a read-protected afp.conf with this patch. And yes: before the patch, a non-privileged user is refused connections, while with the patch they are able to connect.

Raised a PR https://github.com/Netatalk/netatalk/pull/300

[Daniel Markstedt]

Merged.