Nmap Development mailing list archives
Re: [NSE] Adding mkdir support
From: David Fifield <david () bamsoftware com>
Date: Thu, 5 Apr 2012 09:52:34 -0700
On Wed, Apr 04, 2012 at 08:55:50PM +0100, Djalal Harouni wrote:
On Sat, Mar 31, 2012 at 10:20:09PM +0200, Patrik Karlsson wrote:Hi Djalal, Your comment got me thinking and while working on the luadoc documentation I went through all of the functionality the fs library provides. To be honest, I don't think it should be a problem including any of the functions.Ok, I took a quick look, and I think that we should modify the following: make_dir() function calls mkdir() in this way: mkdir (path, S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IWGRP | S_IXGRP | S_IROTH | S_IXOTH ); ^^^^^^^ At least we should use 0755 regardless of the current value of umask and avoid situations where groups are shared... Other solutions: 1) use 0700 mode ? (I like this one). 2) add an extra argument to control the mode ?
I think option (1) is the right one.
BTW while we are at this thing, IMHO we should add checks to only write to directories owned by the current user and writable only by the current user, and try to avoid issues that can raise from following crafted urls and links from servers. Perhaps we should define something like "/" root directory and write all the stuff there in case...
These kinds of checks can be difficult to get right but I agree that we can make a best effort here. It's possible to imagine attacks like creating a directory with a guessable name in /tmp that another program is using as a lock. I think we can first adopt the mkdir function and later add these checks. I like the idea of having a sandbox directory that contains all file write operations done by NSE. But that's likely to break some things at this point and we would need a proposal as to how it would work. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] Adding mkdir support Patrick Donnelly (Apr 02)
- <Possible follow-ups>
- Re: [NSE] Adding mkdir support Fyodor (Apr 04)
- Re: [NSE] Adding mkdir support Djalal Harouni (Apr 04)
- Re: [NSE] Adding mkdir support Patrick Donnelly (Apr 04)
- Re: [NSE] Adding mkdir support Djalal Harouni (Apr 04)
- Re: [NSE] Adding mkdir support David Fifield (Apr 05)
- Re: [NSE] Adding mkdir support Patrick Donnelly (Apr 04)