Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

permission: fix chmod,chown,link, and lutimes #47529

Merged

Conversation

RafaelGSS
Copy link
Member

@RafaelGSS RafaelGSS commented Apr 12, 2023

fs.chmod, fs.chown, fs.link , and fs.lutimes wasn't handled properly by the permission model. This PR fixes it and increase the coverage of all file system API using permission model
cc: @nodejs/security-wg

Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. fs Issues and PRs related to the fs subsystem / file system. needs-ci PRs that need a full CI run. labels Apr 12, 2023
@RafaelGSS RafaelGSS added the request-ci Add this label to start a Jenkins CI on a PR. label Apr 12, 2023
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Apr 12, 2023
@nodejs-github-bot
Copy link
Collaborator

Copy link
Member

@marco-ippolito marco-ippolito left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

@RafaelGSS RafaelGSS added the fast-track PRs that do not need to wait for 48 hours to land. label Apr 13, 2023
@github-actions
Copy link
Contributor

Fast-track has been requested by @RafaelGSS. Please 👍 to approve.

@RafaelGSS
Copy link
Member Author

I need to include it on v20.0.0 proposal for security reasons.

Copy link
Member

@tniessen tniessen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The title and description only mention chmod and chown, but based on the diff, it looks like there are also issues with link and lutimes.

@tniessen tniessen added the security Issues and PRs related to security. label Apr 13, 2023
@RafaelGSS RafaelGSS changed the title permission: fix chmod,chown improve fs coverage permission: fix chmod,chown,link, and lutimes Apr 13, 2023
@tniessen
Copy link
Member

I need to include it on v20.0.0 proposal for security reasons.

We've previously delayed releasing the permission model whenever a new vulnerability was found. #44004 (comment) suggested a "a baking-time of 1 release for this feature (after landing all the patches)". It's not semver-major so we could land it in 20.1.0 instead, but I assume that's not really an option because 20.x is picking up everything from the main branch.

@RafaelGSS
Copy link
Member Author

I need to include it on v20.0.0 proposal for security reasons.

We've previously delayed releasing the permission model whenever a new vulnerability was found. #44004 (comment) suggested a "a baking-time of 1 release for this feature (after landing all the patches)". It's not semver-major so we could land it in 20.1.0 instead, but I assume that's not really an option because 20.x is picking up everything from the main branch.

To not land it on v20.x we would need a revert PR to all affected PRs, which I'm not considering as an option for now.

@RafaelGSS RafaelGSS added the commit-queue Add this label to land a pull request using GitHub Actions. label Apr 13, 2023
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Apr 13, 2023
@nodejs-github-bot nodejs-github-bot merged commit 1323992 into nodejs:main Apr 13, 2023
@nodejs-github-bot
Copy link
Collaborator

Landed in 1323992

RafaelGSS added a commit that referenced this pull request Apr 13, 2023
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
PR-URL: #47529
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
RafaelGSS added a commit that referenced this pull request Apr 13, 2023
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
PR-URL: #47529
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
RafaelGSS added a commit that referenced this pull request Apr 13, 2023
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
PR-URL: #47529
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
@danielleadams danielleadams added the backport-requested-v18.x PRs awaiting manual backport to the v18.x-staging branch. label Jul 3, 2023
@tniessen tniessen added the permission Issues and PRs related to the Permission Model label Aug 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport-requested-v18.x PRs awaiting manual backport to the v18.x-staging branch. c++ Issues and PRs that require attention from people who are familiar with C++. fast-track PRs that do not need to wait for 48 hours to land. fs Issues and PRs related to the fs subsystem / file system. needs-ci PRs that need a full CI run. permission Issues and PRs related to the Permission Model security Issues and PRs related to security.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants