: File attachment permissions

Email lists > Mantis developer discussions

Thread: : File attachment permissions

Search this list only Search all lists
: File attachment permissions
	2007-03-30 02:21:21
I am not able to add notes to this resoved/fixed bug (a behavior, which btw, I'd like to report as a bug ;) ) so here is my take on the topic: ---------- Forwarded message ---------- <snip> ------------------------------------------------------------ ---------- thraxisp - 2007-03-29 20:29 ------------------------------------------------------------ ---------- This patch does create a security hole, however. Any user that can log into the system can now view attachments. I'd suggest reverting this patch and running the web server backup as root, or the apache user. ---------- End Forwarded message ---------- Well, if we want to "secure" mantis attachments, relying on filesystem permissions does not seems to be the best thing to do. In this case it would be at least advisable to note (probably in the install section of the manual) that the best method for storing attachments if the admin cares about security is the DB. However, I just made a grep on the sources for "chmod" and there are actually some other places where the 0400 is applied to a stored file so what about this alternative: * add a new configuration parameter ($g_default_file_permission) with 0400 as default * use that on the 3/4 places where chmod with a hardcoded value is used If you like this proposal, I can produce an updated patch for the issue Cheers Gianluca ------------------------------------------------------------ ------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default. php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ mantisbt-dev mailing list mantisbt-devlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mantisbt-d ev

Re: : File attachment permissions
	2007-03-30 02:28:19
In my mind, if someone has access to the file system, then he/she can do the following: 1. Open the config_inc.php and get the database user name / password and extract the files from there. 2. Write up a PHP script and place it on the server which provides a link per attachment file and allows the client to download all attachments without any authentication. My point is that if someone has access to the file system, then we are already exposed even if we guard the attachments. Am I missing something? I would agree with the configuration option approach for default file permission as a compromise. But we still have the issue of what the default value should be. I typically prefer the "secure by default" approach, so I would stick with the original value as the default value. On 3/30/07, Gianluca Sforna <giallugmail.com> wrote: > I am not able to add notes to this resoved/fixed bug (a behavior, > which btw, I'd like to report as a bug ;) ) so here is my take on the > topic: > > ---------- Forwarded message ---------- > <snip> > ------------------------------------------------------------ ---------- > thraxisp - 2007-03-29 20:29 > ------------------------------------------------------------ ---------- > This patch does create a security hole, however. Any user that can log into > the system can now view attachments. > > I'd suggest reverting this patch and running the web server backup as > root, or the apache user. > > ---------- End Forwarded message ---------- > > Well, if we want to "secure" mantis attachments, relying on filesystem > permissions does not seems to be the best thing to do. > In this case it would be at least advisable to note (probably in the > install section of the manual) that the best method for storing > attachments if the admin cares about security is the DB. > > However, I just made a grep on the sources for "chmod" and there are > actually some other places where the 0400 is applied to a stored file > so what about this alternative: > > * add a new configuration parameter ($g_default_file_permission) with > 0400 as default > * use that on the 3/4 places where chmod with a hardcoded value is used > > If you like this proposal, I can produce an updated patch for the issue > > Cheers > > Gianluca > > ------------------------------------------------------------ ------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default. php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > mantisbt-dev mailing list > mantisbt-devlists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/mantisbt-d ev > ------------------------------------------------------------ ------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default. php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ mantisbt-dev mailing list mantisbt-devlists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mantisbt-d ev

[1-2]

about | contact Other archives ( Real Estate discussion Medical topics )

Mailing lists