Task #7952: tracking: CWE-732: File created without restricting permissions - Suricata - Open Information Security Foundation

Actions

Copy link

Task #7952

open

tracking: CWE-732: File created without restricting permissions

Added by Victor Julien 4 days ago. Updated 4 days ago.

Status:

New

Priority:

Normal

Assignee:

Victor Julien

Target version:

9.0.0-beta1

Effort:

Difficulty:

Label:

Description

We generally use a simple fopen pattern when creating files. This is considered to be unsafe as it might create files with permissions that too broad.

There is a workaround, which is to set the umask config option the yaml. This should probably be enabled by default.

Github/CodeQL suggests a more explicit pattern of using open with explicit permission flags followed by fdopen to get a FILE pointer. This is fairly easy for C, but needs a bit more thought for Rust as there we'd need to add Unix specific logic.

Subtasks 5 (5 open — 0 closed)

History
Property changes

Actions

Copy link

Also available in: Atom PDF

Documentation #7953: doc: umask option not documented	New	OISF Dev	Actions
Documentation #7954: doc: umask option not documented (8.0.x backport)	Assigned	OISF Dev	Actions
Feature #7955: c: create files with explicit permissions	New	OISF Dev	Actions
Feature #7956: rust: create files with explicit permissions	New	OISF Dev	Actions
Task #7957: umask: enable by default	New	OISF Dev	Actions

Project

General

Profile

Suricata

Custom queries

Task #7952

tracking: CWE-732: File created without restricting permissions

Updated by Victor Julien 4 days ago

Updated by Victor Julien 4 days ago

Updated by Victor Julien 4 days ago

Updated by Victor Julien 4 days ago