credentials zip file should pack files with permissions 600

Bug #409777 reported by Dustin Kirkland  on 2009-08-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Eucalyptus
Confirmed
Wishlist
chris grzegorczyk
eucalyptus (Ubuntu)
Wishlist
Unassigned

Bug Description

You can download credentials from the web site in a packed zipfile.

When this file is unzipped, some relatively sensitive information is unpacked, including keys and credentials.

When creating the zipfile, these files should be permissioned appropriately, such as 600.

:-Dustin

Changed in eucalyptus (Ubuntu):
importance: Undecided → Wishlist
status: New → Confirmed
Matt Zimmerman (mdz) wrote :

Does the zip format support UNIX permissions?

Looks like it to me:

irkland@x200:/tmp$ mkdir foo
kirkland@x200:/tmp$ cd foo/
kirkland@x200:/tmp/foo$ touch a b c
kirkland@x200:/tmp/foo$ chmod 740 a
kirkland@x200:/tmp/foo$ chmod 700 b
kirkland@x200:/tmp/foo$ chmod 444 c
kirkland@x200:/tmp/foo$ zip foo.zip *
  adding: a (stored 0%)
  adding: b (stored 0%)
  adding: c (stored 0%)
kirkland@x200:/tmp/foo$ cd ..
kirkland@x200:/tmp$ mkdir foo2
kirkland@x200:/tmp$ cd foo2/
kirkland@x200:/tmp/foo2$ unzip ../foo/*zip
Archive: ../foo/foo.zip
 extracting: a
 extracting: b
 extracting: c
kirkland@x200:/tmp/foo2$ ls -alF
total 0
drwxr-xr-x 2 kirkland kirkland 100 2009-09-26 03:08 ./
drwxrwxrwt 28 root root 920 2009-09-26 03:08 ../
-rwxr----- 1 kirkland kirkland 0 2009-09-26 03:08 a*
-rwx------ 1 kirkland kirkland 0 2009-09-26 03:08 b*
-r--r--r-- 1 kirkland kirkland 0 2009-09-26 03:08 c

Changed in eucalyptus:
assignee: nobody → chris grzegorczyk (chris-grze)
importance: Undecided → Wishlist
status: New → Confirmed
Thierry Carrez (ttx) on 2009-10-14
Changed in eucalyptus (Ubuntu):
status: Confirmed → Triaged
Dustin Kirkland  (kirkland) wrote :

Chris, can you bang this trivial change into 1.6.2?

chris grzegorczyk (chris-grze) wrote :

Sadly, the change is not trivial since it would require implementing
support for permissions in java.util.zip.*

Shelling out is not an option since the contents of the zip never
actually exist as files.

On Fri, Jan 29, 2010 at 10:54 AM, Dustin Kirkland
<email address hidden> wrote:
> Chris, can you bang this trivial change into 1.6.2?
>
> --
> credentials zip file should pack files with permissions 600
> https://bugs.launchpad.net/bugs/409777
> You received this bug notification because you are a bug assignee.
>
> Status in Eucalyptus: Confirmed
> Status in “eucalyptus” package in Ubuntu: Triaged
>
> Bug description:
> You can download credentials from the web site in a packed zipfile.
>
> When this file is unzipped, some relatively sensitive information is unpacked, including keys and credentials.
>
> When creating the zipfile, these files should be permissioned appropriately, such as 600.
>
> :-Dustin
>
>
>

--
Chris Grzegorczyk
Co-Founder and Engineer
Eucalyptus Systems, Inc.

130 Castilian St. | Goleta, CA | 93117
Office: 805-968-1400 x e^1 | Cell: 805-807-8237
Email: <email address hidden>
www.eucalyptus.com
________________________________________

Dustin Kirkland  (kirkland) wrote :

Mark won't-fix, as upstream says this isn't practical to solve, sadly.

Changed in eucalyptus (Ubuntu):
status: Triaged → Won't Fix
Andy Grimm (agrimm) wrote :

This issue is now being tracked upstream at http://eucalyptus.atlassian.net/browse/EUCA-2657

Please watch that issue for further updates.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers