Opened 11 years ago

Closed 8 years ago

Last modified 8 years ago

#2410 closed defect (wontfix)

privilege escalation: allows caller to store anything sugar-datastore has access to

Reported by: sascha_silbe Owned by: alsroot
Priority: Low Milestone:
Component: Sugar Version: Git as of bugdate
Severity: Critical Keywords:
Cc: Distribution/OS:
Bug Status: New

Description

sugar-datastore will happily open any file the caller tells it to save, so the caller can store everything sugar-datastore has access to and later retrieve it, thereby gaining full read access. This is of special concern if activities are running in a sandbox, i.e. when using http://wiki.laptop.org/go/Rainbow.

We should refuse to open files the caller doesn't have read permissions for. Not sure how exactly to achieve that without introducing a race condition or using setfsuid() or setuid(), both of which (naturally) require superuser rights.

As a general precaution sugar-datastore should also refuse to store anything that isn't a regular file.

The practical implications of this are currently limited as the mainline version of sugar-datastore still doesn't work with Rainbow (I have at least a partial fix for that in my repo), but we should nevertheless fix it.

Change History (3)

comment:1 Changed 8 years ago by dnarvaez

  • Component changed from sugar-datastore to Sugar

comment:2 Changed 8 years ago by dnarvaez

  • Resolution set to wontfix
  • Status changed from new to closed

With rainbow not even used anymore these days I don't think this is a priority. We should either enforce this kind of security or not enforce it, doing it only in a few places it's just a waste of resources.

comment:3 Changed 8 years ago by dnarvaez

  • Milestone 0.92 deleted

Milestone 0.92 deleted

Note: See TracTickets for help on using tickets.