Ubuntu
eucalyptus package

credentials zip file should pack files with permissions 600

Bug #409777 reported by Dustin Kirkland 
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Eucalyptus
Confirmed
Wishlist
chris grzegorczyk
eucalyptus (Ubuntu)
Won't Fix
Wishlist
Unassigned

Bug Description

You can download credentials from the web site in a packed zipfile.

When this file is unzipped, some relatively sensitive information is unpacked, including keys and credentials.

When creating the zipfile, these files should be permissioned appropriately, such as 600.

:-Dustin

Dustin Kirkland  (kirkland)
Changed in eucalyptus (Ubuntu):
importance: Undecided → Wishlist
status: New → Confirmed
Revision history for this message
Matt Zimmerman (mdz) wrote :

Does the zip format support UNIX permissions?

Revision history for this message
Dustin Kirkland  (kirkland) wrote : Re: [Bug 409777] Re: credentials zip file should pack files with permissions 600

Looks like it to me:

irkland@x200:/tmp$ mkdir foo
kirkland@x200:/tmp$ cd foo/
kirkland@x200:/tmp/foo$ touch a b c
kirkland@x200:/tmp/foo$ chmod 740 a
kirkland@x200:/tmp/foo$ chmod 700 b
kirkland@x200:/tmp/foo$ chmod 444 c
kirkland@x200:/tmp/foo$ zip foo.zip *
  adding: a (stored 0%)
  adding: b (stored 0%)
  adding: c (stored 0%)
kirkland@x200:/tmp/foo$ cd ..
kirkland@x200:/tmp$ mkdir foo2
kirkland@x200:/tmp$ cd foo2/
kirkland@x200:/tmp/foo2$ unzip ../foo/*zip
Archive: ../foo/foo.zip
 extracting: a
 extracting: b
 extracting: c
kirkland@x200:/tmp/foo2$ ls -alF
total 0
drwxr-xr-x 2 kirkland kirkland 100 2009-09-26 03:08 ./
drwxrwxrwt 28 root root 920 2009-09-26 03:08 ../
-rwxr----- 1 kirkland kirkland 0 2009-09-26 03:08 a*
-rwx------ 1 kirkland kirkland 0 2009-09-26 03:08 b*
-r--r--r-- 1 kirkland kirkland 0 2009-09-26 03:08 c

chris grzegorczyk (chris-grze)
Changed in eucalyptus:
assignee: nobody → chris grzegorczyk (chris-grze)
importance: Undecided → Wishlist
status: New → Confirmed
Thierry Carrez (ttx)
Changed in eucalyptus (Ubuntu):
status: Confirmed → Triaged
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Chris, can you bang this trivial change into 1.6.2?

Revision history for this message
chris grzegorczyk (chris-grze) wrote :

Sadly, the change is not trivial since it would require implementing
support for permissions in java.util.zip.*

Shelling out is not an option since the contents of the zip never
actually exist as files.

On Fri, Jan 29, 2010 at 10:54 AM, Dustin Kirkland
<email address hidden> wrote:
> Chris, can you bang this trivial change into 1.6.2?
>
> --
> credentials zip file should pack files with permissions 600
> https://bugs.launchpad.net/bugs/409777
> You received this bug notification because you are a bug assignee.
>
> Status in Eucalyptus: Confirmed
> Status in “eucalyptus” package in Ubuntu: Triaged
>
> Bug description:
> You can download credentials from the web site in a packed zipfile.
>
> When this file is unzipped, some relatively sensitive information is unpacked, including keys and credentials.
>
> When creating the zipfile, these files should be permissioned appropriately, such as 600.
>
> :-Dustin
>
>
>

--
Chris Grzegorczyk
Co-Founder and Engineer
Eucalyptus Systems, Inc.

130 Castilian St. | Goleta, CA | 93117
Office: 805-968-1400 x e^1 | Cell: 805-807-8237
Email: <email address hidden>
www.eucalyptus.com
________________________________________

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Mark won't-fix, as upstream says this isn't practical to solve, sadly.

Changed in eucalyptus (Ubuntu):
status: Triaged → Won't Fix
Revision history for this message
Andy Grimm (agrimm) wrote :

This issue is now being tracked upstream at http://eucalyptus.atlassian.net/browse/EUCA-2657

Please watch that issue for further updates.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.