#15387: Problem with path security check if owned by a non-primary group
---------------------------+-------------------------
       Reporter:  nbruin   |        Owner:
           Type:  defect   |       Status:  new
       Priority:  major    |    Milestone:  sage-5.13
      Component:  porting  |   Resolution:
       Keywords:           |    Merged in:
        Authors:           |    Reviewers:
Report Upstream:  N/A      |  Work issues:
         Branch:           |       Commit:
   Dependencies:           |     Stopgaps:
---------------------------+-------------------------

Comment (by nbruin):

 Replying to [comment:7 jdemeyer]:
 > Replying to [comment:6 nbruin]:
 > > Any alternatives?
 > Use `getgroups()` to get '''all''' the groups that somebody is a member
 of.

 Yes, that would solve the problem, but it's not clear to me that that is
 truly more secure than just ignoring the process group altogether.
 Imagine:
 {{{
 $ id
 uid=...(me) gid=...(wheel)
 groups=...(wheel),...(www_devel),...(unwashed_masses)
 $ ls -dl .
 drwxrwx--x wheel unwashed_masses [...] ./
 $ umask 002
 $ sage -t module.py
 }}}
 This user `me` has write permission anywhere where all members of
 `unwashed_masses` have write permission, but `me` has many more privileges
 as well. A longer `getgroups()` indicates a MORE privileged UID, so
 normally one would think one should be LESS liberal in executing code
 under that UID. Considering all the groups returned by `getgroups()` as
 trusted when `umask 002` is in effect would have exactly the opposite
 effect.

 Trust relations in security are often asymmetric and unfortunately it
 doesn't seem POSIX provides a way to obtain the information in the
 direction we are interested in (I don't think that information is
 formalized in the system).

 I am fine with doing the `getgroups()` check, because it is an improvement
 in terms of usability over what we have now and I think in most scenarios
 it will allow things that should be allowed.

 It is a little less permissive than just not considering groups at all
 upon `umask 002`, so it may seem a little more secure, but I have trouble
 defining/justifying the security model it would be following, and
 programming the `getgroups()` thing is quite a bit more work.

 Therefore, my default would be just dropping the `getgid() !=
 parent_stat.st_gid`.

--
Ticket URL: <http://trac.sagemath.org/ticket/15387#comment:8>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica, 
and MATLAB

-- 
You received this message because you are subscribed to the Google Groups 
"sage-trac" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/sage-trac.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to