Page MenuHome GnuPG
Create Task
Maniphest T5214

gpg-wks-client generates Web Key Directory with bad permissions.
Testing, LowPublic
Actions

Description

When gpg-wks-client generates a Web Key Directory as described on https://wiki.gnupg.org/WKDHosting, it gives the files and directories bad access permissions.

I'm using GnuPG 2.2.20 as packaged in Fedora 32.

Both directories' and key files' permissions are set to -rwxr--r--. Policy files' permissions are set to -rw-rw-r-- (or maybe not explicitly set, and caused only by the user's umask).

I assume below that the web server daemon does not own the files as it's not supposed to update them.

The daemon does not need permission to read the directories and serve file lists, but needs permission to access files in the directories. The permissions of directories should therefore be -rwx--x--x.

Key files are not programs and should not be marked as executable. Their permissions should be -rw-r--r--.

I don't see why policy files would need to be group-writable when key files and directories are not. Make them -rw-r--r-- too.

Details

Version
2.2.20

Revisions and Commits

rG GnuPG
rGfdc54850263b wkd: Minor permission fix for created files.
rGc008e8d20e12 wkd: Minor permission fix for created files.

Event Timeline

Rombobeorn created this task.Dec 30 2020, 1:33 PM
werner added a subscriber: werner.Dec 30 2020, 3:03 PM

I fixed the latter two points. For directories this can't be done because not only the server reads the directories but also other deployment tools (e.g. rsync).

werner added a project: wkd.Dec 30 2020, 3:04 PM
werner added a commit: rGc008e8d20e12: wkd: Minor permission fix for created files..Dec 30 2020, 3:06 PM
werner added a commit: rGfdc54850263b: wkd: Minor permission fix for created files..
werner changed the task status from Open to Testing.Dec 30 2020, 3:07 PM
werner triaged this task as Low priority.
Rombobeorn added a comment.Dec 31 2020, 10:19 AM
In T5214#140791, @werner wrote:

For directories this can't be done because not only the server reads the directories but also other deployment tools (e.g. rsync).

As it is now, Rsync and similar tools must run as the owner or as root. Otherwise they're not allowed to access the contents of the directories. Having the r privilege but not the x privilege on a directory, you can read the list of filenames but not access the files. To allow Rsync to run as another user, you need to set the permissions of directories to -rwxr-xr-x.

bernhard added a subscriber: bernhard.Sep 29 2021, 3:13 PM

@werner I think @Rombobeorn suggests something like

--- a/tools/wks-util.c
+++ b/tools/wks-util.c
@@ -855,13 +855,13 @@ wks_compute_hu_fname (char **r_fname, const char *addrspec)
   fname = make_filename_try (opt.directory, domain, NULL);
   if (fname && gnupg_stat (fname, &sb)
       && gpg_err_code_from_syserror () == GPG_ERR_ENOENT)
-    if (!gnupg_mkdir (fname, "-rwxr--r--") && opt.verbose)
+    if (!gnupg_mkdir (fname, "-rwxr-xr-x") && opt.verbose)
       log_info ("directory '%s' created\n", fname);
   xfree (fname);
   fname = make_filename_try (opt.directory, domain, "hu", NULL);
   if (fname && gnupg_stat (fname, &sb)
       && gpg_err_code_from_syserror () == GPG_ERR_ENOENT)
-    if (!gnupg_mkdir (fname, "-rwxr--r--") && opt.verbose)
+    if (!gnupg_mkdir (fname, "-rwxr-xr-x") && opt.verbose)
       log_info ("directory '%s' created\n", fname);
   xfree (fname);

that seems useful to me as well.

An additional security measure would be to go for "-rwxr-x--x" (assuming the web server is not part of the group) or for "-rwx--x--x" which assumes that the web server is part of the group and other tools for updating can run with the uid.

thesamesam added a subscriber: thesamesam.Sep 1 2023, 5:25 AM