Security fix: Incorrect permission assignment for critical resource

2023-07-14 16:49:57 +02:00 · 2023-07-14 16:49:57 +02:00 · f097c029f3
parent 499e251796
commit f097c029f3
10 changed files with 17 additions and 17 deletions
--- a/admin/main.go
+++ b/admin/main.go
@ -212,11 +212,11 @@ func main() {
 	}

 	// Creating minimal directories structure
-	os.MkdirAll(fic.FilesDir, 0777)
+	os.MkdirAll(fic.FilesDir, 0751)
 	os.MkdirAll(pki.PKIDir, 0711)
-	os.MkdirAll(api.TeamsDir, 0777)
-	os.MkdirAll(api.DashboardDir, 0777)
-	os.MkdirAll(settings.SettingsDir, 0777)
+	os.MkdirAll(api.TeamsDir, 0751)
+	os.MkdirAll(api.DashboardDir, 0751)
+	os.MkdirAll(settings.SettingsDir, 0751)

 	// Load rules plugins
 	for _, p := range checkplugins {
--- a/admin/pki/ca.go
+++ b/admin/pki/ca.go
@ -47,8 +47,8 @@ func GenerateCA(notBefore time.Time, notAfter time.Time) error {
 	}

 	// Ensure directories exists
-	os.Mkdir(PKIDir, 0777)
-	os.Mkdir(path.Join(PKIDir, "shared"), 0777)
+	os.Mkdir(PKIDir, 0751)
+	os.Mkdir(path.Join(PKIDir, "shared"), 0751)

 	pub, priv, err := GeneratePrivKey()
 	if err != nil {
--- a/admin/sync/file.go
+++ b/admin/sync/file.go
@ -189,7 +189,7 @@ func getDestinationFilePath(URI string) string {
 }

 func importFile(i Importer, URI string, dest string) error {
-	if err := os.MkdirAll(path.Dir(dest), 0755); err != nil {
+	if err := os.MkdirAll(path.Dir(dest), 0751); err != nil {
 		return err
 	}

--- a/admin/sync/importer_localfs.go
+++ b/admin/sync/importer_localfs.go
@ -64,7 +64,7 @@ func (i LocalImporter) importFile(URI string, next func(string, string) (interfa
 	if i.Symlink {
 		dest := getDestinationFilePath(URI)

-		if err := os.MkdirAll(path.Dir(dest), 0755); err != nil {
+		if err := os.MkdirAll(path.Dir(dest), 0751); err != nil {
 			return nil, err
 		}

--- a/checker/main.go
+++ b/checker/main.go
@ -107,7 +107,7 @@ func main() {

 	log.Println("Creating submission directory...")
 	if _, err := os.Stat(path.Join(SubmissionDir, ".tmp")); os.IsNotExist(err) {
-		if err := os.MkdirAll(path.Join(SubmissionDir, ".tmp"), 0777); err != nil {
+		if err := os.MkdirAll(path.Join(SubmissionDir, ".tmp"), 0700); err != nil {
 			log.Fatal("Unable to create submission directory: ", err)
 		}
 	}
--- a/checker/registration.go
+++ b/checker/registration.go
@ -39,7 +39,7 @@ func registrationProcess(id string, team *fic.Team, members []fic.Member, team_i
 	teamDirPath := fmt.Sprintf("%d", team.Id)

 	// Create team directories into TEAMS
-	if err := os.MkdirAll(path.Join(TeamsDir, teamDirPath), 0777); err != nil {
+	if err := os.MkdirAll(path.Join(TeamsDir, teamDirPath), 0751); err != nil {
 		log.Println(id, "[ERR]", err)
 	}
 	if err := os.Symlink(teamDirPath, path.Join(TeamsDir, team_id)); err != nil {
--- a/evdist/main.go
+++ b/evdist/main.go
@ -53,14 +53,14 @@ func main() {
 	log.Println("Creating settingsDist directory...")
 	TmpSettingsDistDirectory = path.Join(SettingsDistDir, ".tmp")
 	if _, err := os.Stat(TmpSettingsDistDirectory); os.IsNotExist(err) {
-		if err = os.MkdirAll(TmpSettingsDistDirectory, 0755); err != nil {
+		if err = os.MkdirAll(TmpSettingsDistDirectory, 0751); err != nil {
 			log.Fatal("Unable to create settingsdist directory:", err)
 		}
 	}

 	TmpSettingsDirectory = path.Join(settings.SettingsDir, ".tmp")
 	if _, err := os.Stat(TmpSettingsDirectory); os.IsNotExist(err) {
-		if err = os.MkdirAll(TmpSettingsDirectory, 0755); err != nil {
+		if err = os.MkdirAll(TmpSettingsDirectory, 0751); err != nil {
 			log.Fatal("Unable to create settings directory:", err)
 		}
 	}
--- a/generator/generation.go
+++ b/generator/generation.go
@ -172,7 +172,7 @@ func genTeamIssuesFile(teamid int64) error {
 	}

 	if s, err := os.Stat(dirPath); os.IsNotExist(err) {
-		os.MkdirAll(dirPath, 0777)
+		os.MkdirAll(dirPath, 0751)
 	} else if !s.IsDir() {
 		return fmt.Errorf("%s is not a directory", dirPath)
 	}
@ -196,7 +196,7 @@ func genTeamMyFile(teamid int64) error {
 	dirPath := path.Join(TeamsDir, fmt.Sprintf("%d", team.Id))

 	if s, err := os.Stat(dirPath); os.IsNotExist(err) {
-		os.MkdirAll(dirPath, 0777)
+		os.MkdirAll(dirPath, 0751)
 	} else if !s.IsDir() {
 		return fmt.Errorf("%s is not a directory", dirPath)
 	}
@ -236,7 +236,7 @@ func genMyPublicFile() error {
 	dirPath := path.Join(TeamsDir, "public")

 	if s, err := os.Stat(dirPath); os.IsNotExist(err) {
-		os.MkdirAll(dirPath, 0777)
+		os.MkdirAll(dirPath, 0751)
 	} else if !s.IsDir() {
 		return fmt.Errorf("%s is not a directory", dirPath)
 	}
--- a/generator/main.go
+++ b/generator/main.go
@ -124,7 +124,7 @@ func main() {
 				}
 			}

-			os.MkdirAll(path.Dir(*bind), 0777)
+			os.MkdirAll(path.Dir(*bind), 0751)

 			unixListener, err := net.Listen("unix", *bind)
 			if err != nil {
--- a/receiver/save.go
+++ b/receiver/save.go
@ -35,7 +35,7 @@ func saveTeamFile(p string, w http.ResponseWriter, r *http.Request) bool {
 func saveFile(p string, r *http.Request) error {
 	dirname := path.Dir(p)
 	if _, err := os.Stat(dirname); os.IsNotExist(err) {
-		if err = os.MkdirAll(dirname, 0755); err != nil {
+		if err = os.MkdirAll(dirname, 0751); err != nil {
 			return err
 		}
 	}