By default, Bugzilla does not search the list of RESOLVED bugs.
You can force it to do so by putting the upper-case word ALL in front of your search query, e.g.: ALL tdelibs
We recommend searching for bugs this way, as you may discover that your bug has already been resolved and fixed in a later release.
Bug 2269 - [tdm] Wrong verification of the TDM control socket
Summary: [tdm] Wrong verification of the TDM control socket
Status: RESOLVED FIXED
Alias: None
Product: TDE
Classification: Unclassified
Component: tdebase (show other bugs)
Version: R14.0.0 [Trinity]
Hardware: Other Linux
: P5 normal
Assignee: Slávek Banko
URL:
Depends on:
Blocks: R14.0.1
  Show dependency treegraph
 
Reported: 2014-12-21 20:22 CST by Slávek Banko
Modified: 2014-12-27 18:42 CST (History)
5 users (show)

See Also:
Compiler Version:
TDE Version String:
Application Version:
Application Name: tdm_greet

Attachments
Fix verification of the TDM control socket (1.53 KB, patch)
2014-12-21 20:22 CST, Slávek Banko 		Details | Diff
Fix verification of the TDM control socket (1) (2.85 KB, patch)
2014-12-26 05:13 CST, Slávek Banko 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Slávek Banko 2014-12-21 20:22:12 CST 
Created attachment 2402 [details]
Fix verification of the TDM control socket

In tdm.log I noticed the following message:

[WARNING] Possible security breach!  Please check permissions on /tmp/tdesocket-global/tdm (must be 600 and owned by root/root, got 700 0/0).  Not listening for login credentials on remote control socket.


The verification of permissions are checked on the folder, but instead of 700 is required 600, which is weird. TDM for this reason does not listen on the control socket.

Furthermore, I believe that permissions should be verified on the particular socket file, not on the folder. Therefore, I have prepared a patch in that sense.

Please verify attached patch.
Comment 1 Darrell 2014-12-22 15:55:31 CST 
Is this related to bug 884?
Comment 2 Slávek Banko 2014-12-22 20:12:22 CST 
(In reply to Darrell from comment #1)
> Is this related to bug 884?

No, these are two different sockets.
Comment 3 Francois Andriot 2014-12-23 03:53:46 CST 
This bug was introduced while building for openbsd.
The directory itself originally was set to mode 600.
In Linux, TDM still managed to read the socket file inside the folder and there was no error. In openbsd, it could not, so it needed to be 700. But now, there is this error message ...
Comment 4 Michele Calgaro 2014-12-24 23:47:42 CST 
> In openbsd, it could not, so it needed to be 700. But now, there is this error 
> message ...
I am *no* expert at all of openbsd, but IMO it is kind of weird that executable permission is required to read a file. Are we sure there wasn't some other reason that caused problems in openbsd?
Comment 5 Slávek Banko 2014-12-26 04:20:07 CST 
(In reply to Michele Calgaro from comment #4)
> > In openbsd, it could not, so it needed to be 700. But now, there is this error 
> > message ...
> I am *no* expert at all of openbsd, but IMO it is kind of weird that
> executable permission is required to read a file. Are we sure there wasn't
> some other reason that caused problems in openbsd?

Michele, on OpenBSD was not a problem with permissions on the file, but on a folder. And folder permissions 700 for me seems to be okay.
Comment 6 Slávek Banko 2014-12-26 04:27:00 CST 
(In reply to Francois Andriot from comment #3)
> This bug was introduced while building for openbsd.
> The directory itself originally was set to mode 600.
> In Linux, TDM still managed to read the socket file inside the folder and
> there was no error. In openbsd, it could not, so it needed to be 700. But
> now, there is this error message ...

Yes, I am aware that the problem has its origin in the patch for OpenBSD. Because permissions 700 on the folder for me seems ok, my question is directed to whether in the code to verify only the folder (for permission 700 - as is in the current code), or only the file-socket (for permission 600 - as is in attachment 2402 [details]) or both?
Comment 7 Slávek Banko 2014-12-26 05:13:45 CST 
Created attachment 2405 [details]
Fix verification of the TDM control socket (1)

Added verification for both - folder as well as file-socket.
Also fixed socket file name in warning message.

Which patch seems to be more appropriate?
Comment 8 Michele Calgaro 2014-12-26 07:15:29 CST 
> on OpenBSD was not a problem with permissions on the file, but on a folder.
> And folder permissions 700 for me seems to be okay.
I am still puzzled why with permission 600 on the folder, Openbsd fails to access the file inside the folder. "read" permission is there, so I would expect that you can read inside the folder. But again, I have basically no knowledge of OpenBSD and there may be something else going on that I am not aware of. Just wondering.

> Which patch seems to be more appropriate?
IMO the meaning of the second one (attachment 2405 [details]) is clearer to understand, compared to the first one. Just my opinion though.
Comment 9 Slávek Banko 2014-12-26 08:49:15 CST 
(In reply to Michele Calgaro from comment #8)
> > on OpenBSD was not a problem with permissions on the file, but on a folder.
> > And folder permissions 700 for me seems to be okay.
> I am still puzzled why with permission 600 on the folder, Openbsd fails to
> access the file inside the folder. "read" permission is there, so I would
> expect that you can read inside the folder. But again, I have basically no
> knowledge of OpenBSD and there may be something else going on that I am not
> aware of. Just wondering.
> 

In this we are in similar positions - my knowledge of *BSD are also small. That is why I go out on the knowledge from François.

> > Which patch seems to be more appropriate?
> IMO the meaning of the second one (attachment 2405 [details]) is clearer to
> understand, compared to the first one. Just my opinion though.

I therefore propose to push the patch from attachment 2405 [details] and close this bug report as resolved. If anyone gets to a closer examination of the problem with permissions 600 on the folder, can be postponed for possible future patch.
Comment 10 Michele Calgaro 2014-12-26 19:49:12 CST 
>I therefore propose to push the patch from attachment 2405 [details] and close 
>this bug report as resolved. If anyone gets to a closer examination of the 
>problem with permissions 600 on the folder, can be postponed for possible 
>future patch.
Sounds good to me. Go ahead.
Comment 11 Slávek Banko 2014-12-27 18:42:29 CST 
Fixed in GIT hash 72a63275 (master) and af7b17f8 (r14.0.x)