Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of VAULT-12299 Use file.Stat when checking file permissions into release/1.13.x #19315

Merged
merged 3 commits into from
Feb 23, 2023
Merged

Backport of VAULT-12299 Use file.Stat when checking file permissions into release/1.13.x #19315

merged 3 commits into from
Feb 23, 2023

Conversation

hc-github-team-secure-vault-core
Copy link
Contributor

Backport

This PR is auto-generated from #19311 to be assessed for backporting due to the inclusion of the label backport/1.13.x.

The below text is copied from the body of the original PR.

VAULT_ENABLE_FILE_PERMISSIONS_CHECK can be bypassed if the file is modified in between the time its ownership is checked, and the time it is opened. This PR opens the config files first, then uses the file pointers to perform the ownership checks.

There isn't a test for the actual attack, because any test requires multiple OS users, which is difficult to do from Go test code. To reliably test the time of check vs time of use difference, you'd also need to be able to make a sigaction() syscall to perform the ownership change. It doesn't seem worth it to create an enos scenario for a scenario this simple.

Overview of commits

@hc-github-team-secure-vault-core hc-github-team-secure-vault-core force-pushed the backport/miagilepner/VAULT-12299-filechecks/urgently-adapting-redbird branch from 9339680 to 4be2be9 Compare February 23, 2023 17:05
@miagilepner miagilepner added this to the 1.13.0 milestone Feb 23, 2023
@miagilepner miagilepner merged commit 6a73f37 into release/1.13.x Feb 23, 2023
@miagilepner miagilepner deleted the backport/miagilepner/VAULT-12299-filechecks/urgently-adapting-redbird branch February 23, 2023 18:29
@fopina-ci fopina-ci mentioned this pull request Apr 27, 2023
Closed
@fopina-ci fopina-ci mentioned this pull request Jun 8, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@miagilepner miagilepner miagilepner approved these changes

Assignees
No one assigned
Labels
pr/no-changelog
Projects
None yet
Milestone
1.13.0
Development

Successfully merging this pull request may close these issues.
2 participants
@hc-github-team-secure-vault-core @miagilepner