From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.io/gmane.comp.sysutils.supervision.general/2202
Path: news.gmane.org!not-for-mail
From: eam@frap.net
Newsgroups: gmane.comp.sysutils.supervision.general
Subject: Re: Default permissions on supervise/ok
Date: Mon, 20 May 2013 21:43:22 -0700
Message-ID: <20130521044322.GA27482@frap.net>
References: <20130520235258.GA9770@frap.net>
 <Pine.LNX.4.64.1305202043210.13324@e-smith.charlieb.ott.istop.com>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: ger.gmane.org 1369111411 15909 80.91.229.3 (21 May 2013 04:43:31 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Tue, 21 May 2013 04:43:31 +0000 (UTC)
Cc: supervision@list.skarnet.org
To: Charlie Brady <charlieb-supervision@budge.apana.org.au>
Original-X-From: supervision-return-2436-gcsg-supervision=m.gmane.org@list.skarnet.org Tue May 21 06:43:28 2013
Return-path: <supervision-return-2436-gcsg-supervision=m.gmane.org@list.skarnet.org>
Envelope-to: gcsg-supervision@plane.gmane.org
Original-Received: from antah.skarnet.org ([212.85.147.14])
	by plane.gmane.org with smtp (Exim 4.69)
	(envelope-from <supervision-return-2436-gcsg-supervision=m.gmane.org@list.skarnet.org>)
	id 1UeeQ3-00056B-Fo
	for gcsg-supervision@plane.gmane.org; Tue, 21 May 2013 06:43:27 +0200
Original-Received: (qmail 21669 invoked by uid 76); 21 May 2013 03:36:19 -0000
Mailing-List: contact supervision-help@list.skarnet.org; run by ezmlm
List-Post: <mailto:supervision@list.skarnet.org>
List-Help: <mailto:supervision-help@list.skarnet.org>
List-Unsubscribe: <mailto:supervision-unsubscribe@list.skarnet.org>
List-Subscribe: <mailto:supervision-subscribe@list.skarnet.org>
List-Archive: <http://www.skarnet.org/lists/>
Original-Received: (qmail 21653 invoked from network); 21 May 2013 03:36:19 -0000
Content-Disposition: inline
In-Reply-To: <Pine.LNX.4.64.1305202043210.13324@e-smith.charlieb.ott.istop.com>
User-Agent: Mutt/1.5.20 (2009-12-10)
Xref: news.gmane.org gmane.comp.sysutils.supervision.general:2202
Archived-At: <http://permalink.gmane.org/gmane.comp.sysutils.supervision.general/2202>

On Mon, May 20, 2013 at 08:47:37PM -0400, Charlie Brady wrote:
> 
> On Mon, 20 May 2013, eam@frap.net wrote:
> 
> > I'd like to allow any user to access supervise/ok, in order to run
> > `sv stat`, but not to access supervise/control. My understanding is that
> > this is safe, as supervise/ok is a read-only interface. Is this accurate,
> > and is this a reasonable idea? Anything I should be warned about? Am I
> > overlooking anything important?
> > 
> > chmod 755 supervise
> > chmod 666 supervise/ok
> 
> Why wouldn't you use 644 for supervise/ok? Remember that you have no 
> guarantee that Joe User will use 'sv' to access the file.

sv refuses to run if it can't open the fifo as writable. My intent is to
allow any user to inspect the process state, but not influence it.

My understanding is that runsv will never read from the fifo, and will
only use opening it as a test to verify the process exists the other end.
This doesn't seem exploitable as it's a read-only channel. At least, as
far as I can tell.

supervise/status already has 644 perms, which is fine because `sv` opens
it readonly, but the default permission on the parent supervise/ directory
are 700 which prohibits access.

Control of runsv is performed over supervise/control, which I would not
make world or group writable, of course.