Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unsecure file permissions after running build #6137

Open
stweil opened this issue Jul 21, 2024 · 0 comments
Open

Unsecure file permissions after running build #6137

stweil opened this issue Jul 21, 2024 · 0 comments
Labels
bug

Comments

@stweil
Copy link
Member

stweil commented Jul 21, 2024

Describe the bug
After running mvn clean build several script files are writable for any user who has access to the build host:

-rw-rw-rw-  1 stweil  wheel  355 21 Jul 08:13 Kitodo-Command/src/test/resources/not_working_script.sh
-rw-rw-rw-  1 stweil  wheel  359 21 Jul 08:13 Kitodo-Command/src/test/resources/working_script.sh
-rw-rw-rw-  1 stweil  wheel  350 21 Jul 08:13 Kitodo-Command/src/test/resources/working_script_with_parameters.sh
-rw-rw-rw-  1 stweil  wheel  459 21 Jul 08:13 Kitodo-FileManagement/src/test/resources/scripts/script_createDirMeta.sh
-rw-rw-rw-  1 stweil  wheel  370 21 Jul 08:13 Kitodo/src/test/resources/scripts/long_working_script_1s.sh
-rw-rw-rw-  1 stweil  wheel  371 21 Jul 08:13 Kitodo/src/test/resources/scripts/long_working_script_2s.sh
-rw-rw-rw-  1 stweil  wheel  511 21 Jul 08:13 Kitodo/src/test/resources/scripts/script_createSymLink.sh
-rw-rw-rw-  1 stweil  wheel  476 21 Jul 08:13 Kitodo/src/test/resources/scripts/script_deleteSymLink.sh
-rw-rw-rw-  1 stweil  wheel  360 21 Jul 08:13 Kitodo/src/test/resources/scripts/working_script.sh
-rw-rw-rw-  1 stweil  wheel  350 21 Jul 08:13 Kitodo/src/test/resources/scripts/working_script_with_parameters.sh

A malicious user can replace the script code with any code which would be run with the next build process.

Of course this is not a problem on build hosts with a single user or only trusted users as long as these build hosts cannot be accessed from outside (otherwise for example security issues in web applications could be used to modify the script files). But if this is a precondition for secure builds, it must be mentioned prominently.

To Reproduce
Steps to reproduce the behavior:

  1. Clone kitodo-production and enter its root directory.
  2. Prepare the build und run mvn clean build (optionally with additional parameters).
  3. The scripts listed above are now world-writable.

Expected behavior
The build process must not create files which are world-writable.

Release
The bug exists for a long time now – also in the latest code.
@stweil stweil added the bug label Jul 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@stweil