exozyme/exozyme
7
12
Fork 0
Code Issues 4 Pull requests Projects Releases 39 Wiki Activity

All users have write access to the LGP server code #32

New issue
Closed
opened 2021-08-22 01:30:59 +00:00 by a · 2 comments
a commented 2021-08-22 01:30:59 +00:00
Owner
Copy link

The LGP server code is located at /srv/http/LGP-Server and is currently writable by anyone. This is a security issue because a user could edit the main.py code to do something malicious and it could be then be executed. Alternatively, users can read and modify the LGP server database which is also bad. One possible solution is to only give access to the LGP server devs, namely me and spicecat.

The LGP server code is located at `/srv/http/LGP-Server` and is currently writable by anyone. This is a security issue because a user could edit the `main.py` code to do something malicious and it could be then be executed. Alternatively, users can read and modify the LGP server database which is also bad. One possible solution is to only give access to the LGP server devs, namely me and spicecat.
a added the
security
bug
 labels 2021-08-22 01:30:59 +00:00
a added this to the (deleted) project 2021-08-22 01:31:14 +00:00
a commented 2021-08-26 15:36:47 +00:00
Author
Owner
Copy link

I'm setting the permissions on the LGP server code to only writable by me and I can give access to anyone that wants it with setfacl.

I'm setting the permissions on the LGP server code to only writable by me and I can give access to anyone that wants it with `setfacl`.
a closed this issue 2021-08-26 15:36:47 +00:00
a commented 2021-10-17 02:11:34 +00:00
Author
Owner
Copy link

setfacl -Rm u:spicecat:rwX . does this nicely, and I'll give other people access if they want it as well.

`setfacl -Rm u:spicecat:rwX .` does this nicely, and I'll give other people access if they want it as well.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
v9.0
v8.8
v8.7
v8.6
v8.5
v8.4
v8.3
v8.2
v8.1
v8.0
v7.10
v7.9
v7.8
v7.7
v7.6
v7.5
v7.4
v7.3
v7.2
v7.1
v7.0
v6.1
v6.0
v5.1
v5.0
v4.2
v4.1
v4.0
v3.0
v2.5
v2.4
v2.3
v2.2
v2.1
v2.0
v1.3
v1.2
v1.1
v1.0
v0.3-beta
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
security

Security vulnerability

  
wontfix

This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
invalid
question
security
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: exozyme/exozyme#32
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?