Unix: Don't create world-writable files when safe save is enabled #96399
Conversation
akien-mga
changed the title
|
Makes sense to me. I also see another Error FileAccessUnixPipe::open_internal(const String &p_path, int p_mode_flags) {
...
if (mkfifo(path.utf8().get_data(), 0666) != 0) { |
I think this should be 0600 to make sure only the current user can read from or write to the pipe. I'm not too familiar with how pipes are used in Godot but I suspect there wouldn't be (shouldn't be) multiple users involved in communication over them. |
When the "filesystem/on_save/safe_save_on_backup_then_rename" option is enabled files are created with 0666 permissions (-rw-rw-rw-) which is too loose. Use 0644 (-rw-r--r--) instead which is how the files would normally be created with the setting disabled and the system umask taken into account.
Named pipes created using the "pipe://" file access scheme should not be world-writable or readable. Limit their access to the current user by creating them with 0600 permissions instead of 0666.
|
I've added a commit to limit the pipe permissions too. |
|
(Polite nudge for reviews or merge.) |
| @@ -97,7 +97,7 @@ Error FileAccessUnix::open_internal(const String &p_path, int p_mode_flags) { | |||
| last_error = ERR_FILE_CANT_OPEN; | |||
| return last_error; | |||
| } | |||
| fchmod(fd, 0666); | |||
| fchmod(fd, 0644); | |||
| @@ -65,7 +65,7 @@ Error FileAccessUnixPipe::open_internal(const String &p_path, int p_mode_flags) | |||
| struct stat st = {}; | |||
| int err = stat(path.utf8().get_data(), &st); | |||
| if (err) { | |||
| if (mkfifo(path.utf8().get_data(), 0666) != 0) { | |||
| if (mkfifo(path.utf8().get_data(), 0600) != 0) { | |||
There was a problem hiding this comment.
Why? Pipes are only useful for IPC, I would expect it to be accessible by every process.
There was a problem hiding this comment.
I would only trust the processes running as my user, or users I explicitly give permission to. If I was playing a game that uses pipes for IPC, on a shared home computer, and my smart little sister figured out that she could prank me by sshing in and writing garbage to /tmp/game-pipe to crash the game then I would complain to the game developer.
The main purpose for pipes at the moment seems to be to support OS.execute_with_pipe(), which only needs 0600 permissions because the subprocess runs as the same user. If devs create pipes directly and want to loosen the access then they could use FileAccess.set_unix_permissions().
|
Are there any outstanding concerns with this PR? @bruvzg? |
When the "filesystem/on_save/safe_save_on_backup_then_rename" option is enabled, files are created with 0666 permissions (-rw-rw-rw-) which is too loose. Use 0644 (-rw-r--r--) instead which is how the files would normally be created with the setting disabled and the system umask taken into account.
Note: Originally I was going to remove the fchmod() entirely and allow mkstemp() to set the permissions based on the umask but #79866 (comment) suggests that would break web builds. However, there should be no reason for files created by godot to ever be world-writable.