possible race condition when writing configuration file #161

setharnold · 2020-05-28T02:07:56Z

Hello, I'm reviewing rtslib-fb as part of Ubuntu's main inclusion process.

I believe that the save_to_file() method may have a race condition:

Line 464 in 7f791a6

with open(tmp_file, "w+") as f:

The file is created before the modes are set to restrict access. If the umask of the process is set too wide, there is a very small window where a user who has installed an inotify watch on /etc/rtslib-fb-targets may be able to open /etc/rtslib-fb-targets/saveconfig.json.temp before the modes on the file are reduced. Once opened, any secrets stored in the file can be read.

Is there a better way to report security issues? I didn't see any guidance in the README.

Thanks

The text was updated successfully, but these errors were encountered:

Fixes: open-iscsi#161 Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>

pkalever pushed a commit to pkalever/rtslib-fb that referenced this issue May 28, 2020

saveconfig: open the temp configfile with modes set

dffcf83

Fixes: open-iscsi#161 Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>

pkalever mentioned this issue May 28, 2020

saveconfig: open the temp configfile with modes set #162

Merged

maurizio-lombardi closed this as completed in #162 May 28, 2020

cvubrugier pushed a commit to cvubrugier/rtslib-fb that referenced this issue May 17, 2022

saveconfig: open the temp configfile with modes set

015b62d

Fixes: open-iscsi#161 Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

possible race condition when writing configuration file #161

possible race condition when writing configuration file #161

setharnold commented May 28, 2020

possible race condition when writing configuration file #161

possible race condition when writing configuration file #161

Comments

setharnold commented May 28, 2020