mirror of
https://github.com/certbot/certbot.git
synced 2026-03-28 13:23:09 -04:00
50fa04ba0c
This PR gets its root from an observation I did on current version of Certbot (1.3.0): the `renewal-hooks` directory in Certbot configuration directory is created on Windows with write permissions to everybody. I thought it was a critical bug since this directory contains hooks that are executed by Certbot, and you certainly do not want this folder to be open to any malicious hook that could be inserted by everyone, then executed with administrator privileges by Certbot. Turns out for this specific problem that the bug is not critical for the hooks, because the scripts are expected to be in subdirectories of `renewal-hooks` (namely `pre`, `post` and `deploy`), and these subdirectories have proper permissions because we set them explicitly when Certbot is starting. Still, there is a divergence here between Linux and Windows: on Linux all Certbot directories without explicit permissions have at maximum `0o755` permissions by default, while on Windows it is a `0o777` equivalent. It is not an immediate security risk, but it is definitly error-prone, not expected, and so a potential breach in the future if we forget about it. Root cause is that umask is not existing in Windows. Indeed under Linux the umask defines the default permissions when you create a file or a directory. Python takes that into account, with an API for `os.open` and `os.mkdir` that expose a `mode` parameter with default value of `0o777`. In practice it is never `0o777` (either you the the `mode` explictly or left the default one) because the effective mode is masked by the current umask value in the system: on Linux it is `0o022`, so files/directories have a maximum mode of `0o755` if you did not set the umask explicitly, and it is what it is observed for Certbot. However on Windows, the `mode` value passed (and got from default) to the `open` and `mkdir` of `certbot.compat.filesystem` module is taken verbatim, since umask does not exit, and then is used to calculate the DACL of the newly created file/directory. So if the mode is not set explicitly, we end up with files and directories with `0o777` permissions. This PR fixes this problem by implementing a umask behavior in the `certbot.compat.filesystem` module, that will be applied to any file or directory created by Certbot since we forbid to use the `os` module directly. The implementation is quite straight-forward. For Linux the behavior is not changed. On Windows a `mask` parameter is added to the function that calculates the DACL, to be invoked appropriately when file or directory are created. The actual value of the mask is taken from an internal class of the `filesystem` module: its default value is `0o755` to match default umasks on Linux, and can be changed with the new method `umask` that have the same behavior than the original `os.umask`. Of course `os.umask` becomes a forbidden function and `filesystem.umask` must be used instead. Existing code that is impacted have been updated, and new unit tests are created for this new function. * Implement umask for Windows * Set umask at the beginning of tests * Fix lint, update local oldest requirements * Update certbot-apache/setup.py Co-authored-by: Brad Warren <bmw@users.noreply.github.com> * Improve tests * Adapt filesystem.makedirs for Windows * Fix * Update certbot-apache/setup.py Co-authored-by: Brad Warren <bmw@users.noreply.github.com> * Changelog entries * Fix lint * Update certbot/CHANGELOG.md Co-authored-by: Brad Warren <bmw@users.noreply.github.com> Co-authored-by: Brad Warren <bmw@users.noreply.github.com> |
||
|---|---|---|
| .. | ||
| augeas_lens | ||
| tls_configs | ||
| __init__.py | ||
| apache_util.py | ||
| apacheparser.py | ||
| assertions.py | ||
| augeasparser.py | ||
| configurator.py | ||
| constants.py | ||
| display_ops.py | ||
| dualparser.py | ||
| entrypoint.py | ||
| http_01.py | ||
| interfaces.py | ||
| obj.py | ||
| override_arch.py | ||
| override_centos.py | ||
| override_darwin.py | ||
| override_debian.py | ||
| override_fedora.py | ||
| override_gentoo.py | ||
| override_suse.py | ||
| parser.py | ||
| parsernode_util.py | ||