Ananicy icon indicating copy to clipboard operation
Ananicy copied to clipboard

Published 20 hours ago verified publisher icon nefelim4ag

Permission Dangerous

Open liberodark opened this issue 5 years ago • 4 comments

Hi,

Have install your project great idea more easy than hands. But you use dangerous permission. When you try to see files :

ls -lha ananicy.d/
total 40K
drwxr-xr-x   3 pc pc 4,0K déc.  16 14:20 .
drwxr-xr-x 157 root root  12K déc.  16 16:51 ..
-rw-r--r--   1 pc pc  260 déc.  16 14:20 00-cgroups.cgroups
drwxr-xr-x   3 pc pc  12K déc.  16 16:50 00-default
-rw-r--r--   1 pc pc 1,3K déc.  16 14:20 00-types.types
-rw-r--r--   1 pc pc  381 déc.  16 14:20 ananicy.conf

Permission is user permission in /etc/ that is not possible, that open security issues.

Have switch for more security to root :

ls -lha ananicy.d/
total 40K
drwxr-xr-x   3 root root 4,0K déc.  16 14:20 .
drwxr-xr-x 157 root root  12K déc.  16 16:51 ..
-rw-r--r--   1 root root  260 déc.  16 14:20 00-cgroups.cgroups
drwxr-xr-x   3 root root  12K déc.  16 16:50 00-default
-rw-r--r--   1 root root 1,3K déc.  16 14:20 00-types.types
-rw-r--r--   1 root root  381 déc.  16 14:20 ananicy.conf

Same as :

ls -lha /lib/systemd/system/ananicy.service
-rw-r--r-- 1 pc pc 456 déc.  16 14:20 /lib/systemd/system/ananicy.service

If you want ? have possiblity to help you for that on your project.

Best Regards

liberodark avatar Dec 16 '19 16:12 liberodark

One solution for root force package : https://github.com/Nefelim4ag/Ananicy/pull/187

liberodark avatar Dec 16 '19 20:12 liberodark

Alternative solution for deb distros: #202

The idea is to use post-install hook. Once deb package is installed, the script inside the deb package with name postinst will be run. This script updates ownership of all ananicy files to root:root. The package can be built from any user.

I'd say this solution is temporary just to close the security issue quickly. The proper long-term solution should be setting up a CI pipeline which will build the packages with the proper permissions automatically on each merge into master branch.

kfeoktistoff avatar Jun 14 '20 21:06 kfeoktistoff

Hmm, this doesn't seem to be a problem on my Arch Linux box? I installed via the AUR package ananicy-git. With ls -lha /etc/ananicy.d, I get

Permissions Size User Date Modified Name
.rw-r--r-- 260 root 3 Mar 13:42 00-cgroups.cgroups
drwxr-xr-x - root 3 Mar 13:42 00-default
.rw-r--r-- 1.3k root 3 Mar 13:42 00-types.types
.rw-r--r-- 381 root 3 Mar 13:42 ananicy.conf

Techcable avatar Mar 03 '21 21:03 Techcable

@Techcable, yeah, your permissions are correct.

kfeoktistoff avatar Mar 23 '21 21:03 kfeoktistoff