fluentd
fluentd copied to clipboard
`FileUtils.mkdir_p` function call inside `backup_chunk` does not copy file permissions (e.g. sticky bit) into middle directories in the path.
Is your feature request related to a problem? Please describe.
The issue there is that when fluentd fails, it creates the bad chunks in deep /tmp/../../ directory structure via
FileUtils.mkdir_p
function call inside backup_chunk
which seems to be just a system call to the underlying linux “mkdir -p -m /tmp/..” command.
-m, --mode=MODE set file mode (as in chmod), not a=rwx – umask
-p, --parents no error if existing, make parent directories as needed
However when used together -m is only applies at the lowest/deepest directory of the specified directory structure not copying the sticky bit of /tmp dricetory to the middle directories. This is how Linux works, but this is a CIS vulnerability which is pointed out by vulnerability scan.
Describe the solution you'd like
In order to resolve this vulnerability, fluentd have to be changed to set -m parameters to all of the members of the directory tree somehow. https://gitlab.cncf.ci/fluent/fluentd/blob/master/lib/fluent/plugin/output.rb#L1251:
FileUtils.mkdir_p(backup_dir, mode: system_config.dir_permission || 0755) unless Dir.exist?(backup_dir)
Solution could be to change mkdir_p to some custom function which iterates through the specified directory struct applying -m (mode).
Describe alternatives you've considered
I do not see.
Additional context
No response
Thanks, @Simon-Janos Do you know whether this issue is assigned to CVE-*?
To be clear, if dir_permission
was specified (like the above example), is it not vulnerable?
Thanks, @Simon-Janos Do you know whether this issue is assigned to CVE-*?
Not to my knowledge.
To be clear, if
dir_permission
was specified (like the above example), is it not vulnerable?
Yes the problem is that you specify a dir_permission
(e.g. with sticky bit inside) but it does not apply to the whole directory structure of the specified path only to the deepest ones (and sometimes but it is to be tested not even to the deepest one), This is how Linux works, but it is not a desired behaviour.
Any update?
This issue has been automatically marked as stale because it has been open 90 days with no activity. Remove stale label or comment or this issue will be closed in 30 days
This issue has been automatically marked as stale because it has been open 90 days with no activity. Remove stale label or comment or this issue will be closed in 30 days
This issue has been automatically marked as stale because it has been open 90 days with no activity. Remove stale label or comment or this issue will be closed in 30 days
This issue was automatically closed because of stale in 30 days