Skip to content

Don’t allow other users to connect by default#28

Merged
NikVolf merged 1 commit into
paritytech:masterfrom
Demi-Marie:strict-ipc-permissions
Jun 16, 2020
Merged

Don’t allow other users to connect by default#28
NikVolf merged 1 commit into
paritytech:masterfrom
Demi-Marie:strict-ipc-permissions

Conversation

@Demi-Marie
Copy link
Copy Markdown
Contributor

@Demi-Marie Demi-Marie commented Jun 13, 2020

This is the most secure default configuration, and prevents local
privilege escalation vulnerabilities. On Unix, permissions are set to
0o600, while on Windows, the DACL of the process’s token is used.

@Demi-Marie
Don’t allow other users to connect by default
86e09f0 
This is the most secure default configuration, and prevents local
privilege escalation vulnerabilities. On Unix, permissions are set to
0o600, while on Windows, the DACL of the process’s token is used.
@dlon dlon mentioned this pull request Jun 15, 2020
Closed
@NikVolf
Copy link
Copy Markdown
Contributor

NikVolf commented Jun 15, 2020

Thanks @demimarie-parity

I am not sure this should be default.

Have you researched how other libraries are organised and what users expect to be default (deny or allow all)?

@NikVolf NikVolf mentioned this pull request Jun 15, 2020
Merged
@Demi-Marie
Copy link
Copy Markdown
Contributor Author

Demi-Marie commented Jun 15, 2020
edited
Loading

@NikVolf Personally, I expect the default to be to deny access. Furthermore, overly strict permissions will be caught during testing, while overly loose permissions will not unless explicitly checked for.

@Demi-Marie
Copy link
Copy Markdown
Contributor Author

Demi-Marie commented Jun 15, 2020

@NikVolf I looked at permissions and found:

  • Connecting to an AF_UNIX socket requires write access to the socket. Since default umasks deny write access to other users, this is safe. It also means that using 0o600 permissions does not change anything in normal situations.
  • On Windows, default permissions for a named pipe give read access to everyone, and full control to the creator of the pipe, LocalSystem, and administrators. LocalSystem and Administrators can do anything, so that is fine. Read-only access is useless in most cases.

@NikVolf NikVolf merged commit 96c9bf6 into paritytech:master Jun 16, 2020
@Demi-Marie Demi-Marie deleted the strict-ipc-permissions branch June 22, 2020 00:25
@dlon
Copy link
Copy Markdown

dlon commented Sep 24, 2020

Could you release a new version including these changes on crates.io? It will allow us to get rid of some workarounds.

@faern faern mentioned this pull request Sep 30, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Demi-Marie @NikVolf @dlon