#224 Issue closed: security enhancements, changing umask before writing ISO images

Labels: enhancement

domibarton opened issue at 2013-04-11 08:38:

Hi

Because the ISO image contains confidential informations, we had to ensure the image is only readable by root. AFAIK by default there is no chmod/chown of the generated ISO image, so the files will be created with default permissions.

As the umask will be used for new files / default permissions, it might be interesting to set the umask to a "secure" value before any (ISO) files will be written:

--- usr/share/rear/output/default/01_set_umask.sh       1970-01-01 01:00:00.000000000 +0100
+++ usr/share/rear/output/default.patched/01_set_umask.sh   2013-03-05 13:35:35.000000000 +0100
@@ -0,0 +1,12 @@
+#
+# 01_set_umask.sh
+#
+# As umask can vary on different systems, we've to set it to a secure value
+# before we're start writing any files. With a defined umask of 0077, further
+# files will automatically be written with root permissions only.
+#
+# Author: dbarton, confirm IT solutions
+#
+
+Log "Setting umask to 077"
+umask 0077

Cheerio
Domi

gdha commented at 2013-04-11 12:07:

this might impact the backup methods after creating the ISO image. Wouldn't it be easier just to execute a chmod 400 on the ISO image itself?

domibarton commented at 2013-04-11 12:23:

Yes that would be possible too.

But as long as the ISO file isn't finally written (and chmod'ed afterwards), the "attacker" has access to the already written data. Hence a chmod after the data is written isn't as secure as setting the umask before anything is created.

There's a workaround by creating an empty ISO file, execute a chmod 400 and write the ISO image afterwards to the protected file. Might be secure, but chmod man page says:

The effect on file descriptors for files open at the time of a call to chmod() is implementation-defined.

I think umask 077 is the right way to go. It works in our environment, though I don't know if every other backup method / environment is working as well. Might have an impact for additional files.

Btw. we're chmod / chown the generated ISO file to our dedicated backup user after everything ran successfully.

[Export of Github issue for rear/rear.]