PATCH: PR27571: debuginfod client, cache file permissions

PATCH: PR27571: debuginfod client, cache file permissions

[Frank Ch. Eigler]

Author: Frank Ch. Eigler <fche@redhat.com>
Date:   Mon Apr 26 12:21:03 2021 -0400

    PR27571: debuginfod client cache - file permissions
    
    Files in the download cache should be read-only.
    
    Signed-off-by: Frank Ch. Eigler <fche@redhat.com>

diff --git a/debuginfod/ChangeLog b/debuginfod/ChangeLog
index 9af641ec0e13..3909100903cb 100644
--- a/debuginfod/ChangeLog
+++ b/debuginfod/ChangeLog
@@ -1,3 +1,9 @@
+2021-04-26  Frank Ch. Eigler <fche@redhat.com>
+
+	PR27571
+	* debuginfod-client.c (debuginfod_query_server): Chmod 0400 files
+	delivered into the cache to prevent accidental modification.
+
 2021-04-26  Frank Ch. Eigler <fche@redhat.com>
 
 	PR26125
diff --git a/debuginfod/debuginfod-client.c b/debuginfod/debuginfod-client.c
index 0170500faaa9..374989e26d43 100644
--- a/debuginfod/debuginfod-client.c
+++ b/debuginfod/debuginfod-client.c
@@ -720,7 +720,7 @@ debuginfod_query_server (debuginfod_client *c,
   /* Because of a race with cache cleanup / rmdir, try to mkdir/mkstemp up to twice. */
   for(int i=0; i<2; i++) {
     /* (re)create target directory in cache */
-    (void) mkdir(target_cache_dir, 0700);
+    (void) mkdir(target_cache_dir, 0700); /* files will be 0400 later */
 
     /* NB: write to a temporary file first, to avoid race condition of
        multiple clients checking the cache, while a partially-written or empty
@@ -1054,6 +1054,9 @@ debuginfod_query_server (debuginfod_client *c,
   tvs[0].tv_usec = tvs[1].tv_usec = 0;
   (void) futimes (fd, tvs);  /* best effort */
 
+  /* PR27571: make cache files casually unwriteable; dirs are already 0700 */
+  (void) fchmod(fd, 0400);
+                
   /* rename tmp->real */
   rc = rename (target_cache_tmppath, target_cache_path);
   if (rc < 0)
diff --git a/tests/ChangeLog b/tests/ChangeLog
index 4995ba609b29..0712417fa6cd 100644
--- a/tests/ChangeLog
+++ b/tests/ChangeLog
@@ -1,3 +1,8 @@
+2021-04-26  Frank Ch. Eigler <fche@redhat.com>
+
+	PR27571
+	* run-debuginfod-find.sh: Add test case for unwriteable cache files.
+
 2021-04-26  Frank Ch. Eigler <fche@redhat.com>
 
 	PR26125
diff --git a/tests/run-debuginfod-find.sh b/tests/run-debuginfod-find.sh
index 2ba31d8266f6..7ad2a45d3aac 100755
--- a/tests/run-debuginfod-find.sh
+++ b/tests/run-debuginfod-find.sh
@@ -176,6 +176,10 @@ testrun ${abs_builddir}/debuginfod_build_id_find -e F/prog 1
 rm -rf $DEBUGINFOD_CACHE_PATH # clean it from previous tests
 filename=`testrun ${abs_top_builddir}/debuginfod/debuginfod-find debuginfo $BUILDID`
 cmp $filename F/prog.debug
+if [ -w $filename ]; then
+    echo "cache file writable, boo"
+    exit 1
+fi
 
 filename=`testrun ${abs_top_builddir}/debuginfod/debuginfod-find executable F/prog`
 cmp $filename F/prog

Re: PATCH: PR27571: debuginfod client, cache file permissions

[Mark Wielaard]

Hi Frank,

On Mon, 2021-04-26 at 12:22 -0400, Frank Ch. Eigler via Elfutils-devel wrote:
> Author: Frank Ch. Eigler <fche@redhat.com>
> Date:   Mon Apr 26 12:21:03 2021 -0400
> 
>     PR27571: debuginfod client cache - file permissions
>     
>     Files in the download cache should be read-only.
>     
>     Signed-off-by: Frank Ch. Eigler <fche@redhat.com>
> 
> diff --git a/debuginfod/ChangeLog b/debuginfod/ChangeLog
> index 9af641ec0e13..3909100903cb 100644
> --- a/debuginfod/ChangeLog
> +++ b/debuginfod/ChangeLog
> @@ -1,3 +1,9 @@
> +2021-04-26  Frank Ch. Eigler <fche@redhat.com>
> +
> +	PR27571
> +	* debuginfod-client.c (debuginfod_query_server): Chmod 0400 files
> +	delivered into the cache to prevent accidental modification.

Yes, sounds like a good idea.

Thanks,

Mark