permissions on /var/tmp/metrics_collector.sock
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
oslo.metrics |
Fix Released
|
Undecided
|
Unassigned | ||
python-oslo.metrics (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
Hello, I believe the socket is being created with incorrect permissions:
def main():
cfg.
socket_path = cfg.CONF.
m = MetricsListener
try:
My sys_stat.h(7) manpage has:
│S_IRWXU │ 0700 │ Read, write, execute/search by owner. │
..
│S_IRWXG │ 070 │ Read, write, execute/search by group. │
..
│S_IRWXO │ 07 │ Read, write, execute/search by others. │
Thus the resulting permissions are 0707. I don't recall seeing 0707 used intentionally before, it's only ever been a mistake by people using the symbolic forms rather than typing the desired octal directly.
If mode 0707 is intentional, can I ask for a comment to be placed there to describe why these unusual permissions are expected?
I propose replacing the modes with 0o666, 0o660, or 0o600, as appropriate. (The only mention of 'execute' in my unix(7) manpage is referring to the directory the socket is created in.)
Thanks
Changed in python-oslo.metrics (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → High |
As for security risks of this bug, I suppose it's that any local user or process on the server could inject fake/misleading metrics, or is the socket used for something else?