Bug 1216372

Summary: VUL-0: shadowsocks-rust: in /etc/shadowsocks potentially security sensitive configuration files are world-readable
Product: [openSUSE] openSUSE Tumbleweed Reporter: Matthias Gerstner <matthias.gerstner>
Component: SecurityAssignee: Hillwood Yang <hillwoodroc>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1212862    
Attachments: permission

Description Matthias Gerstner 2023-10-18 11:16:27 UTC 
+++ This bug was initially created as a clone of Bug #1212862

While reviewing shadowsocks-rust I found that our packaging create the
following configuration directory and example configuration file:

    $ ls -lhd /etc/shadowsocks
    drwxr-xr-x 2 root root 4.0K Oct 17 14:07 /etc/shadowsocks
    
    ls -lh /etc/shadowsocks/shadowsocks-rust.json
    -rw-r--r-- 1 root root 272 Oct 10 21:09 /etc/shadowsocks/shadowsocks-rust.json

The template configuration file contains e.g. this:

    "password": "mypassword"

The configuration file is pulled in by default by the systemd services that
are also part of our packaging:

    /usr/lib/systemd/system/shadowsocks-rust-client.service:ExecStart=/usr/bin/sslocal --log-without-time -c /etc/shadowsocks/shadowsocks-rust.json --tcp-fast-open
    /usr/lib/systemd/system/shadowsocks-rust-manager.service:ExecStart=/usr/bin/ssmanager --log-without-time -c /etc/shadowsocks/shadowsocks-rust.json --tcp-fast-open
    /usr/lib/systemd/system/shadowsocks-rust-server.service:ExecStart=/usr/bin/ssserver --log-without-time -c /etc/shadowsocks/shadowsocks-rust.json --tcp-fast-open

Since the configuration files are world-readable there is a local information
leak. Other unprivileged users in the system can obtain the password and maybe
misuse this information.

A solution should be found that these configuration files are only accessible
by a dedicated user or group that runs the shadowsock-rust services.

This problem only affects our SUSE packaging, not upstream.
Comment 1 OBSbugzilla Bot 2023-10-24 07:35:01 UTC 
This is an autogenerated message for OBS integration:
This bug (1216372) was mentioned in
https://build.opensuse.org/request/show/1119866 Factory / shadowsocks-rust
Comment 2 OBSbugzilla Bot 2023-10-26 08:35:01 UTC 
This is an autogenerated message for OBS integration:
This bug (1216372) was mentioned in
https://build.opensuse.org/request/show/1120484 Factory / shadowsocks-rust
Comment 3 Matthias Gerstner 2023-11-15 10:32:14 UTC 
This is still not fixed. We now have:

    $ ls -lhd /etc/shadowsocks/
    drwxr-xr-x 2 root shadowsocks 4.0K Nov 15 11:29 /etc/shadowsocks
    
    ls -lhd /etc/shadowsocks/shadowsocks-rust.json
    -rw-r--r-- 1 root shadowsocks 272 Oct 26 21:17 /etc/shadowsocks/shadowsocks-rust.json

We now have a dedicated group but the files are still world readable. We need
-rw-r----- permissions on the file and drwxr-x--- permissions on the
directory.
Comment 4 Matthias Gerstner 2023-12-08 13:01:17 UTC 
any news here?
Comment 5 Hillwood Yang 2023-12-10 11:15:46 UTC 
(In reply to Matthias Gerstner from comment #4)
> any news here?

Is setting permissions as 640 ok? Sorry I'm in hospital.
Comment 6 Hillwood Yang 2023-12-10 11:16:28 UTC 
Created attachment 871228 [details]
permission
Comment 7 Matthias Gerstner 2023-12-12 10:24:49 UTC 
Yes these permissions are better.
Comment 8 OBSbugzilla Bot 2023-12-15 13:35:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1216372) was mentioned in
https://build.opensuse.org/request/show/1133426 Backports:SLE-15-SP4 / shadowsocks-libev
https://build.opensuse.org/request/show/1133428 Backports:SLE-15-SP5 / shadowsocks-libev
Comment 9 Hillwood Yang 2023-12-16 12:15:04 UTC 
Fixed
Comment 10 Marcus Meissner 2023-12-18 05:04:53 UTC 
openSUSE-RU-2023:0408-1: An update that has two recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1216372,1216373
CVE References: 
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP4 (src):    shadowsocks-libev-3.3.5-bp154.3.3.1
Comment 11 Marcus Meissner 2023-12-21 20:04:52 UTC 
openSUSE-RU-2023:0412-1: An update that has two recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1216372,1216373
CVE References: 
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    shadowsocks-libev-3.3.5-bp155.4.3.1
Comment 12 Matthias Gerstner 2024-01-16 12:55:06 UTC 
the config file and its directory now have proper permissions