[Pkg-ltsp-devel] Bug#565962: ltspfs: insufficient permissions on files.
Vagrant Cascadian
vagrant at freegeek.org
Wed Jan 20 04:55:47 UTC 2010
Package: ltspfs
Version: 0.5.3-3
Severity: important
Tags: security, patch
all versions of ltspfs prior to 0.5.14 may allow other users who are in the
same group as the user's primary group to read files mounted using ltspfs.
this is fixed upstream with the following patch:
http://bazaar.launchpad.net/~ltsp-upstream/ltspfs/ltspfs-trunk/revision/120/src/ltspfs.c
=== modified file 'src/ltspfs.c'
--- src/ltspfs.c 2009-03-06 21:28:04 +0000
+++ src/ltspfs.c 2010-01-12 21:05:47 +0000
@@ -343,6 +343,13 @@
stbuf->st_uid = fc->uid;
stbuf->st_gid = fc->gid;
+ /*
+ * Also, in order to make sure that all files are umask 700, we'll
+ * manipulate the st_mode at this point.
+ */
+
+ stbuf->st_mode = stbuf->st_mode & (S_IFDIR | S_IFREG | 0700);
+
if (!xdr_u_longlong_t(&in, &stbuf->st_rdev))
return -EACCES;
if (!xdr_longlong_t(&in, &stbuf->st_size))
i haven't yet tested it, but it or a modified version will hopefully work with
0.5.3, as well.
live well,
vagrant
More information about the Pkg-ltsp-devel
mailing list