Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

os: consider mapping Unix permissions bits to Windows ACLs #70524

Open
neild opened this issue Nov 22, 2024 · 1 comment
Open

os: consider mapping Unix permissions bits to Windows ACLs #70524

neild opened this issue Nov 22, 2024 · 1 comment
Labels
NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made.
Milestone

Comments

@neild
Copy link
Contributor

neild commented Nov 22, 2024

The os.FileMode/io/fs.FileMode type represents a file's "mode and permission bits".

Permission bits are a Unix concept. FileMode exposes these bits directly: "The nine least-significant bits are the standard Unix rwxrwxrwx permissions." (The FileMode documentation doesn't even bother to specify which bit is which, assuming that this is common knowledge.)

On Windows, the os package translates the permission bits to the FILE_ATTRIBUTE_READONLY attribute:

  • When creating a file, the file is created with FILE_ATTRIBUTE_READONLY if the bit 0o200 (user-writable) is not set.
  • When statting a file, the mode bits are set to 0o444 if FILE_ATTRIBUTE_READONLY is set, 0o666 otherwise.

The os package does not attempt to distinguish between the user/group/other bits. It is not possible to create a file readable only by the current user. os.CreateTemp is documented as creating files with mode 0o600; while technically accurate (the best kind of accurate!), this is somewhat misleading on Windows because the file will be world read/writable.

A similar issue with Python temporary files was assigned CVE-2024-4030. After some discussion, we're inclined to say that os.CreateTemp's current behavior is not a vulnerability since the os package's lack of support for Windows permissions is well-known and CreateTemp does indeed behave according to its documentation in that light. But it's certainly unfortunate.

This issue is to consider the possibility of mapping Unix permission bits to Windows ACLs in the os package. There are well-known security identifiers (SIDs) that translate fairly closely to the Unix concepts of user/group/other: SECURITY_CREATOR_OWNER_RID, SECURITY_CREATOR_GROUP_RID, and SECURITY_WORLD_RID. The OS package could set an ACL on new files using these SIDs, and possibly translate simple ACLs to Unix permissions when returning a FileMode.

Making this change has the risk of breaking existing programs that depend on the current behavior. We'd definitely want a GODEBUG to revert to the old behavior.

@dmitshur dmitshur added the NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. label Nov 22, 2024
@dmitshur dmitshur added this to the Backlog milestone Nov 22, 2024
@rolandshoemaker
Copy link
Member

Unclear how useful this actually is, but while thinking about this I came up with the following proof-of-concept: https://gist.github.com/rolandshoemaker/21a04f56111c61da439f5b5a8def3275.

Up to whoever decides to implement this to determine if this actually makes sense or not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made.
Projects
None yet
Development

No branches or pull requests

3 participants