Re: Default permissions on supervise/ok

supervision - discussion about system services, daemon supervision, init, runlevel management, and tools such as s6 and runit
 help / color / mirror / Atom feed

From: eam@frap.net
To: Charlie Brady <charlieb-supervision@budge.apana.org.au>
Cc: supervision@list.skarnet.org
Subject: Re: Default permissions on supervise/ok
Date: Mon, 20 May 2013 21:43:22 -0700	[thread overview]
Message-ID: <20130521044322.GA27482@frap.net> (raw)
In-Reply-To: <Pine.LNX.4.64.1305202043210.13324@e-smith.charlieb.ott.istop.com>

On Mon, May 20, 2013 at 08:47:37PM -0400, Charlie Brady wrote:
> 
> On Mon, 20 May 2013, eam@frap.net wrote:
> 
> > I'd like to allow any user to access supervise/ok, in order to run
> > `sv stat`, but not to access supervise/control. My understanding is that
> > this is safe, as supervise/ok is a read-only interface. Is this accurate,
> > and is this a reasonable idea? Anything I should be warned about? Am I
> > overlooking anything important?
> > 
> > chmod 755 supervise
> > chmod 666 supervise/ok
> 
> Why wouldn't you use 644 for supervise/ok? Remember that you have no 
> guarantee that Joe User will use 'sv' to access the file.

sv refuses to run if it can't open the fifo as writable. My intent is to
allow any user to inspect the process state, but not influence it.

My understanding is that runsv will never read from the fifo, and will
only use opening it as a test to verify the process exists the other end.
This doesn't seem exploitable as it's a read-only channel. At least, as
far as I can tell.

supervise/status already has 644 perms, which is fine because `sv` opens
it readonly, but the default permission on the parent supervise/ directory
are 700 which prohibits access.

Control of runsv is performed over supervise/control, which I would not
make world or group writable, of course.

next prev parent reply	other threads:[~2013-05-21  4:43 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-05-20 23:52 eam
2013-05-21  0:47 ` Charlie Brady
2013-05-21  4:43   ` eam [this message]
2013-05-21  9:58     ` Laurent Bercot
2013-05-21 15:29       ` eam
2013-05-21 15:10         ` Laurent Bercot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130521044322.GA27482@frap.net \
    --to=eam@frap.net \
    --cc=charlieb-supervision@budge.apana.org.au \
    --cc=supervision@list.skarnet.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).