ruby-core@ruby-lang.org archive (unofficial mirror)
 help / color / mirror / Atom feed
From: "Dan0042 (Daniel DeLorme) via ruby-core" <ruby-core@ml.ruby-lang.org>
To: ruby-core@ml.ruby-lang.org
Cc: "Dan0042 (Daniel DeLorme)" <noreply@ruby-lang.org>
Subject: [ruby-core:118938] [Ruby master Bug#20693] Dir.tmpdir should perform a real access check before warning about writability
Date: Fri, 23 Aug 2024 18:00:02 +0000 (UTC)	[thread overview]
Message-ID: <redmine.journal-109507.20240823175956.10173@ruby-lang.org> (raw)
In-Reply-To: <redmine.issue-20693.20240822233228.10173@ruby-lang.org>

Issue #20693 has been updated by Dan0042 (Daniel DeLorme).


What about changing/fixing `stat.writable?` to behave like `File.writable?`
It seems to me a source of confusion and subtle bugs that these two methods can return different values in edge cases.

----------------------------------------
Bug #20693: Dir.tmpdir should perform a real access check before warning about writability
https://bugs.ruby-lang.org/issues/20693#change-109507

* Author: kjtsanaktsidis (KJ Tsanaktsidis)
* Status: Open
* Backport: 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN
----------------------------------------
The code in `Dir.tmpdir` attempts to warn the user if their temp directory is deficient for some reason:

```ruby
case
when !stat.directory?
  warn "#{name} is not a directory: #{dir}"
when !stat.writable?
  warn "#{name} is not writable: #{dir}"
when stat.world_writable? && !stat.sticky?
  warn "#{name} is world-writable: #{dir}"
else
  break dir
end
```

This check for writability is looking at the user/group/world access bits on the stat output, and determining if the user running Ruby is allowed to write to the temp directory based on that.

However, modern operating systems contain other mechanisms apart from the user/group/world bits which can grant access to a directory that would otherwise be denied, or vice versa. Things like:


* Posix ACL's
* Linux's capabilities like CAP_DAC_OVERRIDE
* Linux Security Modules like SELinux or AppArmor
* Syscall filters like Linux's seccomp
* Granular capability systems like FreeBSD's Capsicum
* OpenBSD's pledge and unveil
* Windows too has a rich ACL system for controlling filesystem access

To address this, we should call `File.writable?` instead of `stat.writable?`, which asks the system whether the file is writable using the `euidaccess()` function if available. On Linux/glibc, at least, this will issue an `access(2)` syscall, and the Kernel can take all of the above into account.

n.b. if Ruby is running as suid, then glibc currently will NOT ask the kernel to perform the access check in `euidaccess()`, and instead does a similar thing to what `Stat#writable?` does (https://github.com/bminor/glibc/blob/7f04bb4e49413bd57ac3215f3480b09ae7131968/sysdeps/posix/euidaccess.c#L159-L162). This is because of the relatively new `faccessat2(2)` syscall is required to do this properly, and there is some ecosystem issues with leveraging this by default (e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1900021). Since running Ruby as suid is probably a very bad idea anyway, and the glibc implementation isn't any worse than the `Stat#writable?` one, this seems OK though.



-- 
https://bugs.ruby-lang.org/
 ______________________________________________
 ruby-core mailing list -- ruby-core@ml.ruby-lang.org
 To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
 ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/

  parent reply	other threads:[~2024-08-23 18:00 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-08-22 23:32 [ruby-core:118932] " kjtsanaktsidis (KJ Tsanaktsidis) via ruby-core
2024-08-23  6:26 ` [ruby-core:118936] " kjtsanaktsidis (KJ Tsanaktsidis) via ruby-core
2024-08-23 18:00 ` Dan0042 (Daniel DeLorme) via ruby-core [this message]
2024-08-23 23:45 ` [ruby-core:118942] " kjtsanaktsidis (KJ Tsanaktsidis) via ruby-core
2024-10-03  8:52 ` [ruby-core:119425] " mame (Yusuke Endoh) via ruby-core
2024-10-03  9:10 ` [ruby-core:119428] " akr (Akira Tanaka) via ruby-core

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=redmine.journal-109507.20240823175956.10173@ruby-lang.org \
    --to=ruby-core@ml.ruby-lang.org \
    --cc=noreply@ruby-lang.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).