Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unix: Don't create world-writable files when safe save is enabled #96399

Merged
merged 2 commits into from
Nov 22, 2024
Merged

Unix: Don't create world-writable files when safe save is enabled #96399

merged 2 commits into from
Nov 22, 2024

Conversation

andyprice
Copy link
Contributor

When the "filesystem/on_save/safe_save_on_backup_then_rename" option is enabled, files are created with 0666 permissions (-rw-rw-rw-) which is too loose. Use 0644 (-rw-r--r--) instead which is how the files would normally be created with the setting disabled and the system umask taken into account.

Note: Originally I was going to remove the fchmod() entirely and allow mkstemp() to set the permissions based on the umask but #79866 (comment) suggests that would break web builds. However, there should be no reason for files created by godot to ever be world-writable.

@andyprice andyprice requested a review from a team as a code owner August 31, 2024 18:39
@AThousandShips AThousandShips added this to the 4.4 milestone Sep 1, 2024
@fire fire requested a review from a team September 3, 2024 15:55
@akien-mga akien-mga changed the title unix: Don't create world-writable files when safe save is enabled Unix: Don't create world-writable files when safe save is enabled Sep 3, 2024
@akien-mga akien-mga requested a review from bruvzg September 3, 2024 16:05
@akien-mga
Copy link
Member

Makes sense to me. I also see another 0666 there, not sure if that's also something we need to review:

Error FileAccessUnixPipe::open_internal(const String &p_path, int p_mode_flags) {
...
                if (mkfifo(path.utf8().get_data(), 0666) != 0) {

@andyprice
Copy link
Contributor Author

Makes sense to me. I also see another 0666 there, not sure if that's also something we need to review:

Error FileAccessUnixPipe::open_internal(const String &p_path, int p_mode_flags) {
...
                if (mkfifo(path.utf8().get_data(), 0666) != 0) {

I think this should be 0600 to make sure only the current user can read from or write to the pipe. I'm not too familiar with how pipes are used in Godot but I suspect there wouldn't be (shouldn't be) multiple users involved in communication over them.

@andyprice
unix: Don't create world-writable files when safe save is enabled
f49c9d7 
When the "filesystem/on_save/safe_save_on_backup_then_rename" option is
enabled files are created with 0666 permissions (-rw-rw-rw-) which is
too loose. Use 0644 (-rw-r--r--) instead which is how the files would
normally be created with the setting disabled and the system umask taken
into account.
@andyprice
unix: Limit named pipe permissions to the current user
64077ff 
Named pipes created using the "pipe://" file access scheme should not be
world-writable or readable. Limit their access to the current user by
creating them with 0600 permissions instead of 0666.
@andyprice
Copy link
Contributor Author

I've added a commit to limit the pipe permissions too.

@andyprice
Copy link
Contributor Author

(Polite nudge for reviews or merge.)

akien-mga
akien-mga approved these changes Sep 19, 2024
View reviewed changes
Copy link
Member

@akien-mga akien-mga left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change to fchmod seems correct to me.

I'm not familiar enough with Unix pipes to assess the mkfifo one, would be great if @bruvzg could have a look.

@andyprice
Copy link
Contributor Author

Are there any outstanding concerns with this PR? @bruvzg?

@akien-mga akien-mga requested a review from bruvzg November 21, 2024 11:40
@Repiteo Repiteo merged commit 030cc69 into godotengine:master Nov 22, 2024
20 checks passed
@Repiteo
Copy link
Contributor

Repiteo commented Nov 22, 2024

Thanks! Congratulations on your first contribution! 🎉

@andyprice andyprice deleted the fileperms branch November 22, 2024 09:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bruvzg bruvzg bruvzg approved these changes

@akien-mga akien-mga akien-mga approved these changes

Assignees
No one assigned
Labels
bug platform:linuxbsd platform:macos topic:porting
Projects
None yet
Milestone
4.4
Development

Successfully merging this pull request may close these issues.
6 participants
@andyprice @akien-mga @Repiteo @bruvzg @SaracenOne @AThousandShips