#1806 uid_map created as world writable - a security risk

3.4.0
closed-fixed
dr_mohan
5
2014-05-08
2013-08-02
dr_mohan
No

uid_map file is created as world writable which may be a security risk.
Some input provided by Anton are

It is a reasonable concern. Guess we should create bug ticket for this.

There are two workarounds:

1) it is possible to run openhpi daemon without using uid_map.
2) it is possible to set uid_map file location other than /tmp or /var.

    Anton Pak

The file should be less than or equal to 644.

3 Attachments

Discussion

  • Tariq Shureih

    Tariq Shureih - 2013-08-02

    *ATTENTION**
    This account is disabled and is no longer accessed by the recipient.
    Please remove it from your address book.

    Thanks

     
  • dr_mohan

    dr_mohan - 2013-09-19

    The patch is uploaded. It creates the uid_map file with 644 permission (umask set to 022). It does not change the permissions on the existing file as the user could set it to 600 or some other permission manually.

    This is a very simple patch. Please review.

     
  • dr_mohan

    dr_mohan - 2013-09-19
     
  • dr_mohan

    dr_mohan - 2013-09-24
     
  • dr_mohan

    dr_mohan - 2013-09-24

    New patch that applies only to non windows platforms

     
  • dr_mohan

    dr_mohan - 2013-09-30
    • status: open --> closed-fixed
     
  • dr_mohan

    dr_mohan - 2013-09-30

    Fixed with checkin #7558

     
  • dr_mohan

    dr_mohan - 2013-10-21
    • 3.4.0: 3.3.x --> 3.4.0
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks