-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
permission: fix chmod,chown,link, and lutimes #47529
permission: fix chmod,chown,link, and lutimes #47529
Conversation
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Fast-track has been requested by @RafaelGSS. Please 👍 to approve. |
I need to include it on v20.0.0 proposal for security reasons. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The title and description only mention chmod
and chown
, but based on the diff, it looks like there are also issues with link
and lutimes
.
We've previously delayed releasing the permission model whenever a new vulnerability was found. #44004 (comment) suggested a "a baking-time of 1 release for this feature (after landing all the patches)". It's not semver-major so we could land it in 20.1.0 instead, but I assume that's not really an option because 20.x is picking up everything from the main branch. |
To not land it on v20.x we would need a revert PR to all affected PRs, which I'm not considering as an option for now. |
Landed in 1323992 |
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: #47529 Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: #47529 Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: #47529 Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
fs.chmod
,fs.chown
,fs.link
, andfs.lutimes
wasn't handled properly by the permission model. This PR fixes it and increase the coverage of all file system API using permission modelcc: @nodejs/security-wg