From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on starla X-Spam-Level: X-Spam-Status: No, score=0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_BL_SPAMCOP_NET,SPF_HELO_PASS, SPF_PASS autolearn=no autolearn_force=no version=3.4.6 Received: from nue.mailmanlists.eu (nue.mailmanlists.eu [94.130.110.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 6E4431F4BE for ; Tue, 22 Oct 2024 06:31:52 +0000 (UTC) Authentication-Results: dcvr.yhbt.net; dkim=pass (1024-bit key; unprotected) header.d=ml.ruby-lang.org header.i=@ml.ruby-lang.org header.a=rsa-sha256 header.s=mail header.b=pmdfHkUk; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=ruby-lang.org header.i=@ruby-lang.org header.a=rsa-sha256 header.s=s1 header.b=KkKxEife; dkim-atps=neutral DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ml.ruby-lang.org; s=mail; t=1729578679; bh=kY6LzAF2FtX2Ft3Npxy5khS3U0JqA0dUTa4af6pcWpk=; h=Date:References:To:Reply-To:Subject:List-Id:List-Archive: List-Help:List-Owner:List-Post:List-Subscribe:List-Unsubscribe: From:Cc:From; b=pmdfHkUkYl9Hgp+tkbqXz6tftBWScIyLUGvg4+GL9iZ0yK2iVBy7zBEmlqONG1rIk Mvr/c6+xbRQBrTIf0ghNdOk7cnyunh3kpp9TEAVX3bJgErbl5Ubsws7i+VlzAiSea8 uAAyXUVIBGVLYs6dqdJb5sP+DsPxtR/xdzkTyTQE= Received: from nue.mailmanlists.eu (localhost [IPv6:::1]) by nue.mailmanlists.eu (Postfix) with ESMTP id 89E6B44635 for ; Tue, 22 Oct 2024 06:31:19 +0000 (UTC) Authentication-Results: nue.mailmanlists.eu; dkim=pass (2048-bit key; unprotected) header.d=ruby-lang.org header.i=@ruby-lang.org header.a=rsa-sha256 header.s=s1 header.b=KkKxEife; dkim-atps=neutral Received: from s.wrqvtvvn.outbound-mail.sendgrid.net (s.wrqvtvvn.outbound-mail.sendgrid.net [149.72.120.130]) by nue.mailmanlists.eu (Postfix) with ESMTPS id 253E8445AC for ; Tue, 22 Oct 2024 06:30:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ruby-lang.org; h=from:references:subject:mime-version:content-type: content-transfer-encoding:list-id:to:cc:content-type:from:subject:to; s=s1; bh=EVBCAoWSZb4NtpwOc7vla6e8nxUBSNKY2VcQtGeugjI=; b=KkKxEifeFYCduaMx8NMQWdcptdPEBD11BkGr6nGijYoDdi0Pjv1y8BDsGTe6HKZSkICx fI6XxJ+wCHZyMr5aSrp3lHhMR49oe8jozPXWMB0iC4HVjR0j5Vx62Jw+U1HwmXlOO9R5vu vEC5wJzQorlxEB17RAL0eZQHXU6xWc8NOgt2IM+0BTaOcL6Mgy9SdudRjSfnbM18OIAQH+ FueFdxnWXvkFX9xSgx3XU6fZuhncHUSW+8eOU4tOyCki2SLmgxF6DKt11OAmgRs9BoFETj JuOasqYxzu64TCEEibI+b2OvbW1dZq26DQukKkiuloTq9m5AOJG2yZZCfSFMnbHQ== Received: by recvd-5577bcb48c-zkh7v with SMTP id recvd-5577bcb48c-zkh7v-1-6717469F-2 2024-10-22 06:30:55.056193935 +0000 UTC m=+3414768.924105425 Received: from herokuapp.com (unknown) by geopod-ismtpd-19 (SG) with ESMTP id D1T4wxEMQ-SRcSpYvx6qxw for ; Tue, 22 Oct 2024 06:30:55.019 +0000 (UTC) Date: Tue, 22 Oct 2024 06:30:55 +0000 (UTC) Message-ID: References: Mime-Version: 1.0 X-Redmine-Project: ruby-master X-Redmine-Issue-Tracker: Bug X-Redmine-Issue-Id: 20693 X-Redmine-Issue-Author: kjtsanaktsidis X-Redmine-Issue-Assignee: akr X-Redmine-Issue-Priority: Normal X-Redmine-Sender: kjtsanaktsidis X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-Redmine-MailingListIntegration-Message-Ids: 96220 X-SG-EID: =?us-ascii?Q?u001=2Ehtvb0C=2FfA7uJxza5ajJoGjWf7D35DJhKe7Y94xYuv7SZnqx0qbu=2F70+zV?= =?us-ascii?Q?XRgEUZlB2KACYgzrNXwJOFqD+GI4v+xLlProPhe?= =?us-ascii?Q?RqFaaJyjkouxQ5xP42b7fdB899+Vbm7oeg8bOMx?= =?us-ascii?Q?FZcC2rrhRppJ4SrCsiDorjvdXQTI=2FpkH9AnlkzB?= =?us-ascii?Q?xlB=2Fj50yBIsRdBoQaPq+uv0z7sh5m8VnjVvSHni?= =?us-ascii?Q?CERayey5FAbQ5u+rQJbQQqLtXM376nP26O0ynE9?= =?us-ascii?Q?6PrIrBBe7cv2aXOxBsZ9qWqb8w=3D=3D?= To: ruby-core@ml.ruby-lang.org X-Entity-ID: u001.I8uzylDtAfgbeCOeLBYDww== Message-ID-Hash: UI7SVSFG55QW7FCZ2K6RO3CQQQHBOQ7I X-Message-ID-Hash: UI7SVSFG55QW7FCZ2K6RO3CQQQHBOQ7I X-MailFrom: bounces+313651-b711-ruby-core=ml.ruby-lang.org@em5188.ruby-lang.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.9 Precedence: list Reply-To: Ruby developers Subject: [ruby-core:119586] [Ruby master Bug#20693] Dir.tmpdir should perform a real access check before warning about writability List-Id: Ruby developers Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: "kjtsanaktsidis (KJ Tsanaktsidis) via ruby-core" Cc: "kjtsanaktsidis (KJ Tsanaktsidis)" Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Issue #20693 has been updated by kjtsanaktsidis (KJ Tsanaktsidis). Status changed from Open to Closed Backport changed from 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN to 3.1: DONTNEED, 3.2: DONTNEED, 3.3: DONTNEED Merged in 7d254e4a2e16dd6275452a2a67b0fcd600cdc990 ---------------------------------------- Bug #20693: Dir.tmpdir should perform a real access check before warning about writability https://bugs.ruby-lang.org/issues/20693#change-110205 * Author: kjtsanaktsidis (KJ Tsanaktsidis) * Status: Closed * Assignee: akr (Akira Tanaka) * Backport: 3.1: DONTNEED, 3.2: DONTNEED, 3.3: DONTNEED ---------------------------------------- The code in `Dir.tmpdir` attempts to warn the user if their temp directory is deficient for some reason: ```ruby case when !stat.directory? warn "#{name} is not a directory: #{dir}" when !stat.writable? warn "#{name} is not writable: #{dir}" when stat.world_writable? && !stat.sticky? warn "#{name} is world-writable: #{dir}" else break dir end ``` This check for writability is looking at the user/group/world access bits on the stat output, and determining if the user running Ruby is allowed to write to the temp directory based on that. However, modern operating systems contain other mechanisms apart from the user/group/world bits which can grant access to a directory that would otherwise be denied, or vice versa. Things like: * Posix ACL's * Linux's capabilities like CAP_DAC_OVERRIDE * Linux Security Modules like SELinux or AppArmor * Syscall filters like Linux's seccomp * Granular capability systems like FreeBSD's Capsicum * OpenBSD's pledge and unveil * Windows too has a rich ACL system for controlling filesystem access To address this, we should call `File.writable?` instead of `stat.writable?`, which asks the system whether the file is writable using the `euidaccess()` function if available. On Linux/glibc, at least, this will issue an `access(2)` syscall, and the Kernel can take all of the above into account. n.b. if Ruby is running as suid, then glibc currently will NOT ask the kernel to perform the access check in `euidaccess()`, and instead does a similar thing to what `Stat#writable?` does (https://github.com/bminor/glibc/blob/7f04bb4e49413bd57ac3215f3480b09ae7131968/sysdeps/posix/euidaccess.c#L159-L162). This is because of the relatively new `faccessat2(2)` syscall is required to do this properly, and there is some ecosystem issues with leveraging this by default (e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1900021). Since running Ruby as suid is probably a very bad idea anyway, and the glibc implementation isn't any worse than the `Stat#writable?` one, this seems OK though. -- https://bugs.ruby-lang.org/ ______________________________________________ ruby-core mailing list -- ruby-core@ml.ruby-lang.org To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/