Bugzilla – Bug 1216372
VUL-0: shadowsocks-rust: in /etc/shadowsocks potentially security sensitive configuration files are world-readable
Last modified: 2024-01-16 12:55:06 UTC
+++ This bug was initially created as a clone of Bug #1212862 While reviewing shadowsocks-rust I found that our packaging create the following configuration directory and example configuration file: $ ls -lhd /etc/shadowsocks drwxr-xr-x 2 root root 4.0K Oct 17 14:07 /etc/shadowsocks ls -lh /etc/shadowsocks/shadowsocks-rust.json -rw-r--r-- 1 root root 272 Oct 10 21:09 /etc/shadowsocks/shadowsocks-rust.json The template configuration file contains e.g. this: "password": "mypassword" The configuration file is pulled in by default by the systemd services that are also part of our packaging: /usr/lib/systemd/system/shadowsocks-rust-client.service:ExecStart=/usr/bin/sslocal --log-without-time -c /etc/shadowsocks/shadowsocks-rust.json --tcp-fast-open /usr/lib/systemd/system/shadowsocks-rust-manager.service:ExecStart=/usr/bin/ssmanager --log-without-time -c /etc/shadowsocks/shadowsocks-rust.json --tcp-fast-open /usr/lib/systemd/system/shadowsocks-rust-server.service:ExecStart=/usr/bin/ssserver --log-without-time -c /etc/shadowsocks/shadowsocks-rust.json --tcp-fast-open Since the configuration files are world-readable there is a local information leak. Other unprivileged users in the system can obtain the password and maybe misuse this information. A solution should be found that these configuration files are only accessible by a dedicated user or group that runs the shadowsock-rust services. This problem only affects our SUSE packaging, not upstream.
This is an autogenerated message for OBS integration: This bug (1216372) was mentioned in https://build.opensuse.org/request/show/1119866 Factory / shadowsocks-rust
This is an autogenerated message for OBS integration: This bug (1216372) was mentioned in https://build.opensuse.org/request/show/1120484 Factory / shadowsocks-rust
This is still not fixed. We now have: $ ls -lhd /etc/shadowsocks/ drwxr-xr-x 2 root shadowsocks 4.0K Nov 15 11:29 /etc/shadowsocks ls -lhd /etc/shadowsocks/shadowsocks-rust.json -rw-r--r-- 1 root shadowsocks 272 Oct 26 21:17 /etc/shadowsocks/shadowsocks-rust.json We now have a dedicated group but the files are still world readable. We need -rw-r----- permissions on the file and drwxr-x--- permissions on the directory.
any news here?
(In reply to Matthias Gerstner from comment #4) > any news here? Is setting permissions as 640 ok? Sorry I'm in hospital.
Created attachment 871228 [details] permission
Yes these permissions are better.
This is an autogenerated message for OBS integration: This bug (1216372) was mentioned in https://build.opensuse.org/request/show/1133426 Backports:SLE-15-SP4 / shadowsocks-libev https://build.opensuse.org/request/show/1133428 Backports:SLE-15-SP5 / shadowsocks-libev
Fixed
openSUSE-RU-2023:0408-1: An update that has two recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1216372,1216373 CVE References: JIRA References: Sources used: openSUSE Backports SLE-15-SP4 (src): shadowsocks-libev-3.3.5-bp154.3.3.1
openSUSE-RU-2023:0412-1: An update that has two recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1216372,1216373 CVE References: JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): shadowsocks-libev-3.3.5-bp155.4.3.1
the config file and its directory now have proper permissions