chown() considered harmful

Stephen R. van den Berg
10 November 2010, 14:58
Hiawatha version: 7.4

I notice that setting WorkDirectory to /tmp causes /tmp to suddenly change ownership and permissions. This is considered terribly insecure behaviour. Secure programming implies the following things (amongst others):
a. Preferably avoid performing chown() from within a daemon or even regular program.
b. If chown() needs to be done anyway, use fchown() if at all possible to avoid security leaks due to race conditions.
c. If (f)chown() is to be performed, surround it with lots of sanitychecks to see if it actually needs to be done (usually it's not easy to determine the amount of checks to be done, which is why using chown() from within daemons is frowned upon).
d. Instead of chowning, log the problem (possibly refuse to run) and let the administrator take appropriate action.

P.S. One other thing... Claiming to be the "most secure" and "most advanced" webserver is a difficult to prove claim which could easily be used to ridicule the server in the light of any deficiencies found. I'd suggest rephrasing it everywhere to "lightweight, secure and advanced webserver" instead.
Stephen R. van den Berg
10 November 2010, 15:00
The same considerations apply to chmod(), BTW.
Hugo Leisink
10 November 2010, 15:20
I'll add some extra instructions to the manual page about how to use this option properly.
Stephen R. van den Berg
10 November 2010, 16:46
Ok, but then I'd suggest dropping the "secure" attribute to the server's qualities. If this option (even accidentally) is set to e.g. / and subsequently starting the server results in all other users not being able to access their files, I'd consider that to be a big problem (aside from the race conditions).
Hugo Leisink
10 November 2010, 16:56
And typing 'rm -rf /' is also not a smart thing to do. Even when done accidentally. But that doesn't make 'rm' an insecure program.
Stephen R. van den Berg
10 November 2010, 17:15
rm is known to remove things and alter filesystem state, so typing something to that effect is expected to alter the filesystem. Hiawatha is a daemon and a webserver. Well behaved daemons do not mess up ownerships or file-permissions. The most compelling reason for the non-security is the vulnerability against race conditions in filesystem state, which isn't addressed at all in the current hiawatha implementation.
This topic has been closed.