Contrib.social

file check is problematic "green" when not test with chmod

Open on Drupal.org β†’
Created on 15 June 2024, 10 days ago

Problem/Motivation

The file check currently only tries to write into module folder. This shows green even if the webserver is the owner of the folder and the files inside but the write permission is not set. When malware will do just a chmod 0755 on directory and files it can change the files.

Steps to reproduce

For testing you need something which is not recommended. Change the owner of the security_check module folder to the webserver which usually needs root permissions. When chmod command is called before file check as chown in code the new file an be placed and IGNOREME.txt gets a fresh timestamp.

Proposed resolution

Maybe we can additionally check webserver username and file owner.
But adding chmod commands will do a real test.
When this can be done successful the system is changed in this place a little bit less secure.

Remaining tasks

Maybe add additionally warnings to fix the concrete file permissions of the.

User interface changes

API changes

Data model changes

πŸ› Bug report
Status

Needs work

Version

3.0

Component

Code

Created by

πŸ‡©πŸ‡ͺGermany C-Logemann Frankfurt/M, Germany

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @C-Logemann
  • Issue was unassigned.
  • Status changed to Needs work 10 days ago
  • Comment 10 days ago β†’
    πŸ‡©πŸ‡ͺGermany C-Logemann Frankfurt/M, Germany

    I commit a first code which makes the test "real" with 

    chmod($directory, 0755);

    .
    But depending on the webserver this can cause problems related to group and others permissions. Maybe we can read the permissions first and just change the user permission. And like good hackers we could clean up by ourself with resetting the permissions as before.

  • Comment 10 days ago β†’
    πŸ‡©πŸ‡ͺGermany C-Logemann Frankfurt/M, Germany
  • Status changed to Needs review 10 days ago
  • Comment 10 days ago β†’
    πŸ‡©πŸ‡ͺGermany C-Logemann Frankfurt/M, Germany

    I added a file perm read and chmod reset to the code.

  • Merge request !69Resolve #3454866 "File check is problematic green" β†’ (Open) created by C-Logemann
  • Pipeline finished with Success
    10 days ago
    Total: 151s
    #199941
  • Comment 10 days ago β†’
    πŸ‡©πŸ‡ͺGermany C-Logemann Frankfurt/M, Germany

    On my test system (D 10.2, nginx, fpm) I changed the file ownership to secured user and the chmod part was just ignored.

  • Status changed to Needs work 10 days ago
  • Comment 10 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    So this module is lacking tests but this seems like a change we should have coverage for as this is one of the more important checks

  • Comment 10 days ago β†’
    πŸ‡©πŸ‡ͺGermany C-Logemann Frankfurt/M, Germany

    Just found my old issue about this: ✨ "Safe file system permissions" should test the ownership of files and directories Closed: outdated

  • Comment 10 days ago β†’
    πŸ‡©πŸ‡ͺGermany C-Logemann Frankfurt/M, Germany

    @smustgrave OK, we need a test which creates an unsave situation to check if the file permission tests is still working correctly? Or is it only to make sure the test will not cause problems?

    On my old concept I was only thinking about checking if webserver is the owner of the code. This can also be a good test additionally to the already working search on writeable folder. But this should be handle in different issues.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024