Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix #937 - Fix incorrect log access check in setuid startup #941

Merged
merged 1 commit into from
Apr 25, 2024
Merged

Fix #937 - Fix incorrect log access check in setuid startup #941

merged 1 commit into from
Apr 25, 2024

Conversation

mxsasha
Copy link
Collaborator

@mxsasha mxsasha commented Apr 25, 2024

Introduced in #666

@mxsasha mxsasha self-assigned this Apr 25, 2024
@mxsasha mxsasha linked an issue Apr 25, 2024 that may be closed by this pull request
IRRd won't start if the log file doesn't already exist #937
Closed
@mxsasha mxsasha merged commit 2f4ca06 into main Apr 25, 2024
9 checks passed
@mxsasha mxsasha deleted the fix937-2 branch April 25, 2024 12:22
This was referenced Apr 25, 2024
Merged
Merged
@tangledhelix
Copy link
Member

@mxsasha This seems it will cover the case I described. I haven't tested again, but what would happen with this code, if you have this situation:

  • Directory writeable by the unprivileged user
  • Within that directory, an existing file not writeable by the unprivileged user

Would that be handled properly? In that case the unprivileged user cannot write to the file, e.g.:

❯ ls -la
total 16
drwxr-xr-x  2 dan  eng   4096 Apr 25 15:17 .
drwxr-xr-x 62 dan  eng  12288 Apr 25 15:17 ..
-rw-r--r--  1 root root     0 Apr 25 15:17 myfile

❯ echo "test" >> myfile
zsh: permission denied: myfile

The unprivileged user could delete the file and create a new one, in this situation, but I don't see that in the code. So I wonder if this change would result in the server starting up without complaint, but then either failing later because it can't write to the logfile, or else silently failing to log due to permissions?

@mxsasha
Copy link
Collaborator Author

mxsasha commented Apr 26, 2024

Yes, this would cause the same failure #666 was meant to prevent. I think we should add that check too - though #666 was mostly meant to help people avoid a somewhat common misconfiguration, not catch every scenario :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@mxsasha mxsasha

Labels
backport-to-4.3 backport-to-4.4
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

IRRd won't start if the log file doesn't already exist
2 participants
@mxsasha @tangledhelix