Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling

Maybe. However if someone is added to a users group that should really mean that they should at least be able to read things, even though they may not be able to write to stuff. So I actually think bash and others do the wrong thing here.

The way I have done it is also more in line with upstream opinion, even though upstream think it is ok for even anyone to read this file.

New simplified and with better comments attached to this mail.

Best regards

// Ola

On Wed, Aug 3, 2016 at 12:16 AM, Emilio Pozuelo Monfort <pochu@debian.org> wrote:

On 02/08/16 23:57, Ola Lundqvist wrote:
> Hi Chris
>
> The reason I do not simply set the umask to a fixed value is to use the same
> principle as upstream. That is honor the umask set bu the user. There may be
> reasons why group read and/or write should be set for example.
>
> I agree with upstream that the umask should be honored, but not as strictly as
> upstream do. This is why I just override the "world readable" part and let the
> rest be controlled by the user.
>
> In the working patch you can see that I also set back the umask (just a little
> further down in the file) as it was to just change this specific case of logging.
>
> More clear now?

What do other programs do for similar files? My .bash_history is 0600 even
though my umask is 0022. Having a umask that allows other users to read your
files by default doesn't mean sensitive-information should be made available. So
perhaps you should ignore if the umask allows the group to read files?

Cheers,
Emilio

--- Inguza Technology AB --- MSc in Information Technology ----

/ ola@inguza.com Folkebogatan 26 \

| opal@debian.org 654 68 KARLSTAD |

| http://inguza.com/ Mobile: +46 (0)70-332 1551 |

\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /

---------------------------------------------------------------

Description: World readable dbshell log file This correction make sure the ~/.dbshell log file is not world readable. . mongodb (1:2.0.6-1+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Long Term Security Team. * Make sure dbshell log file is not readable by others CVE-2016-6494 (Closes: #832908). Author: Ola Lundqvist <opal@debian.org> Origin: other Bug: https://jira.mongodb.org/browse/SERVER-25335 Bug-Debian: https://bugs.debian.org/832908 Forwarded: no Reviewed-By: Ola Lundqvist <opal@debian.org> Last-Update: 2016-08-01 Index: mongodb-2.0.6/third_party/linenoise/linenoise.cpp =================================================================== --- mongodb-2.0.6.orig/third_party/linenoise/linenoise.cpp 2012-06-04 13:42:54.000000000 +0000 +++ mongodb-2.0.6/third_party/linenoise/linenoise.cpp 2016-08-02 22:28:13.094657162 +0000 @@ -104,11 +104,13 @@ #include <termios.h> #include <unistd.h> +#include <fcntl.h> #include <stdlib.h> #include <stdio.h> #include <errno.h> #include <string.h> #include <stdlib.h> +#include <sys/stat.h> #include <sys/types.h> #include <sys/ioctl.h> #include <unistd.h> @@ -799,6 +801,11 @@ /* Save the history in the specified file. On success 0 is returned * otherwise -1 is returned. */ int linenoiseHistorySave(const char *filename) { + mode_t prev_mask = umask(0022); + // Make sure this file is not readable by others, but honor + // the umask for user and group permissions. + // CVE-2016-6494 + umask(prev_mask | S_IRWXO); FILE *fp = fopen(filename,"w"); int j; @@ -808,6 +815,8 @@ fprintf(fp,"%s\n",history[j]); } fclose(fp); + // return umask as it was before + umask(prev_mask); return 0; } @@ -817,6 +826,15 @@ * If the file exists and the operation succeeded 0 is returned, otherwise * on error -1 is returned. */ int linenoiseHistoryLoad(const char *filename) { + struct stat fileStat; + if (stat(filename,&fileStat) < 0) return -1; + if (fileStat.st_mode & S_IRWXO) { + // If the file is world readable, writeable or executable + // make sure it is not but keep all other permissions. + // CVE-2016-6494 + chmod(filename, fileStat.st_mode & 0777770); + } + FILE *fp = fopen(filename,"r"); char buf[LINENOISE_MAX_LINE];