[Bugs] #2410 LOW: privilege escalation: allows caller to store anything sugar-datastore has access to

[Sugar Labs Bugs]

#2410: privilege escalation: allows caller to store anything sugar-datastore has
access to
--------------------------------+-------------------------------------------
    Reporter:  sascha_silbe     |          Owner:  alsroot          
        Type:  defect           |         Status:  new              
    Priority:  Low              |      Milestone:  0.92             
   Component:  sugar-datastore  |        Version:  Git as of bugdate
    Severity:  Critical         |       Keywords:                   
Status_field:  New              |   Distribution:                   
   Seeta_dev:                   |  
--------------------------------+-------------------------------------------
 sugar-datastore will happily open any file the caller tells it to save, so
 the caller can store everything sugar-datastore has access to and later
 retrieve it, thereby gaining full read access. This is of special concern
 if activities are running in a sandbox, i.e. when using
 [http://wiki.laptop.org/go/Rainbow].

 We should refuse to open files the caller doesn't have read permissions
 for. Not sure how exactly to achieve that without introducing a race
 condition or using {{{setfsuid()}}} or {{{setuid()}}}, both of which
 (naturally) require superuser rights.

 As a general precaution sugar-datastore should also refuse to store
 anything that isn't a regular file.

 The practical implications of this are currently limited as the mainline
 version of sugar-datastore still doesn't work with Rainbow (I have at
 least a [http://git.sugarlabs.org/projects/sugar-
 datastore/repos/silbe/logs/7314430fb3dfe88eff626c773d32cd3fd329561d
 partial fix] for that in my repo), but we should nevertheless fix it.

-- 
Ticket URL: <http://bugs.sugarlabs.org/ticket/2410>
Sugar Labs <http://sugarlabs.org/>
Sugar Labs bug tracking system