UP-01-010 Grunt & Node execute code in /home/lib, /home/node_modules

[cure53]

The following issue was discovered while attempting to build code in the uproxy-obfuscators repository.Nodejs, when searching for a module, will traverse the filesystem upwards until it finds the module. For typical processes, this includes searching for the module in /home/node_modules, meaning that if a user named node_modules exists, this user can inject code into the nodejs processes of other users if nodejs modules are missing.

Similarily, Grunt, if it can’t find grunt.js, will execute code from /home/lib/grunt.js. We recommend that if the filesystem is traversed upwards like this, it should be verified that all folders upwards of the current one that are traversed are owned by the current user. For example, if a process in /home/user/tmp tries to use a file from /home/lib/, it should verify the ownership of /home/user and /home. This should at least protect all users apart from root, who usually won’t run scripts inside /home or so.