#15387: Problem with path security check if owned by a non-primary group
---------------------------+-------------------------
Reporter: nbruin | Owner:
Type: defect | Status: new
Priority: major | Milestone: sage-5.13
Component: porting | Resolution:
Keywords: | Merged in:
Authors: | Reviewers:
Report Upstream: N/A | Work issues:
Branch: | Commit:
Dependencies: | Stopgaps:
---------------------------+-------------------------
Comment (by nbruin):
Replying to [comment:7 jdemeyer]:
> Replying to [comment:6 nbruin]:
> > Any alternatives?
> Use `getgroups()` to get '''all''' the groups that somebody is a member
of.
Yes, that would solve the problem, but it's not clear to me that that is
truly more secure than just ignoring the process group altogether.
Imagine:
{{{
$ id
uid=...(me) gid=...(wheel)
groups=...(wheel),...(www_devel),...(unwashed_masses)
$ ls -dl .
drwxrwx--x wheel unwashed_masses [...] ./
$ umask 002
$ sage -t module.py
}}}
This user `me` has write permission anywhere where all members of
`unwashed_masses` have write permission, but `me` has many more privileges
as well. A longer `getgroups()` indicates a MORE privileged UID, so
normally one would think one should be LESS liberal in executing code
under that UID. Considering all the groups returned by `getgroups()` as
trusted when `umask 002` is in effect would have exactly the opposite
effect.
Trust relations in security are often asymmetric and unfortunately it
doesn't seem POSIX provides a way to obtain the information in the
direction we are interested in (I don't think that information is
formalized in the system).
I am fine with doing the `getgroups()` check, because it is an improvement
in terms of usability over what we have now and I think in most scenarios
it will allow things that should be allowed.
It is a little less permissive than just not considering groups at all
upon `umask 002`, so it may seem a little more secure, but I have trouble
defining/justifying the security model it would be following, and
programming the `getgroups()` thing is quite a bit more work.
Therefore, my default would be just dropping the `getgid() !=
parent_stat.st_gid`.
--
Ticket URL: <http://trac.sagemath.org/ticket/15387#comment:8>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica,
and MATLAB
--
You received this message because you are subscribed to the Google Groups
"sage-trac" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/sage-trac.
For more options, visit https://groups.google.com/groups/opt_out.
