Don't create keyfile with insecure permissions #263

Closed
opened 2013-06-26 14:49:29 +02:00 by fiatflux · 2 comments
fiatflux commented 2013-06-26 14:49:29 +02:00 (Migrated from github.com)

Issue #258 is similar, but slightly different.

Even with the fix from pull/#262, there is a (milder) vulnerability: on some systems a malicious process can get a file handle during the short time that keys.dat remains in a readable state. If the user creates a key while the malicious process has a valid handle, the malware can read the key. Even after permissions change!

The fix is to ensure the keys.dat file is never readable except by the owner. On posix systems this should be a simple os.umask(0o077) before any file creation. But I don't know how to do this in a platform-independent way, and I have very little time for a few weeks.

Issue #258 is similar, but slightly different. Even with the fix from pull/#262, there is a (milder) vulnerability: on some systems a malicious process can get a file handle during the short time that keys.dat remains in a readable state. If the user creates a key while the malicious process has a valid handle, the malware can read the key. Even after permissions change! The fix is to ensure the keys.dat file is never readable except by the owner. On posix systems this should be a simple os.umask(0o077) before any file creation. But I don't know how to do this in a platform-independent way, and I have very little time for a few weeks.
DivineOmega commented 2013-06-26 17:43:13 +02:00 (Migrated from github.com)

According to the Python manual os.umask is available in Windows and Linux. Although I can not vouch for exactly what it does in Windows as obviously the filesystem security model in Windows is somewhat different.

http://docs.python.org/2/library/os.html#os.umask

According to the Python manual os.umask is available in Windows and Linux. Although I can not vouch for exactly what it does in Windows as obviously the filesystem security model in Windows is somewhat different. http://docs.python.org/2/library/os.html#os.umask
fiatflux commented 2013-06-26 18:14:42 +02:00 (Migrated from github.com)

Ack, likewise on the uncertainty about the Windows security model, so I'd
love for someone more familiar to chime in!

Ack, likewise on the uncertainty about the Windows security model, so I'd love for someone more familiar to chime in!
This repo is archived. You cannot comment on issues.
No Milestone
No project
No Assignees
1 Participants
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: Bitmessage/PyBitmessage-2024-12-02#263
No description provided.