#2410 closed defect (wontfix)
privilege escalation: allows caller to store anything sugar-datastore has access to
| Reported by: | sascha_silbe | Owned by: | alsroot |
|---|---|---|---|
| Priority: | Low | Milestone: | |
| Component: | Sugar | Version: | Git as of bugdate |
| Severity: | Critical | Keywords: | |
| Cc: | Distribution/OS: | ||
| Bug Status: | New |
Description
sugar-datastore will happily open any file the caller tells it to save, so the caller can store everything sugar-datastore has access to and later retrieve it, thereby gaining full read access. This is of special concern if activities are running in a sandbox, i.e. when using http://wiki.laptop.org/go/Rainbow.
We should refuse to open files the caller doesn't have read permissions for. Not sure how exactly to achieve that without introducing a race condition or using setfsuid() or setuid(), both of which (naturally) require superuser rights.
As a general precaution sugar-datastore should also refuse to store anything that isn't a regular file.
The practical implications of this are currently limited as the mainline version of sugar-datastore still doesn't work with Rainbow (I have at least a partial fix for that in my repo), but we should nevertheless fix it.
Change History (3)
comment:1 Changed 10 years ago by dnarvaez
- Component changed from sugar-datastore to Sugar
comment:2 Changed 10 years ago by dnarvaez
- Resolution set to wontfix
- Status changed from new to closed
With rainbow not even used anymore these days I don't think this is a priority. We should either enforce this kind of security or not enforce it, doing it only in a few places it's just a waste of resources.