From 8bb28f2f6a6526847fc3d2bc8a216e041a0f8677 Mon Sep 17 00:00:00 2001 From: "Costa Tsaousis (ktsaou)" Date: Thu, 7 Apr 2016 17:42:54 +0300 Subject: [PATCH] increased security: added option "web files group", so that netdata will also check the group of the files it sends over the web - checks on the user were already in place #186 --- src/web_client.c | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/src/web_client.c b/src/web_client.c index 09440ab0..639bb044 100644 --- a/src/web_client.c +++ b/src/web_client.c @@ -14,6 +14,7 @@ #include #include #include +#include #include #include "common.h" @@ -250,6 +251,31 @@ uid_t web_files_uid(void) return(owner_uid); } +gid_t web_files_gid(void) +{ + static char *web_group = NULL; + static gid_t owner_gid = 0; + + if(unlikely(!web_group)) { + web_group = config_get("global", "web files group", config_get("global", "web files owner", NETDATA_USER)); + if(!web_group || !*web_group) + owner_gid = getegid(); + else { + struct group *gr = getgrnam(web_group); + if(!gr) { + error("Group %s is not present. Ignoring option.", web_group); + owner_gid = getegid(); + } + else { + debug(D_WEB_CLIENT, "Web files group set to %s.\n", web_group); + owner_gid = gr->gr_gid; + } + } + } + + return(owner_gid); +} + int mysendfile(struct web_client *w, char *filename) { static char *web_dir = NULL; @@ -300,6 +326,13 @@ int mysendfile(struct web_client *w, char *filename) return 403; } + // check if the file is owned by expected group + if(stat.st_gid != web_files_gid()) { + error("%llu: File '%s' is owned by group %d (expected group %d). Access Denied.", w->id, webfilename, stat.st_gid, web_files_gid()); + buffer_sprintf(w->response.data, "Access to file '%s' is not permitted.", webfilename); + return 403; + } + if((stat.st_mode & S_IFMT) == S_IFDIR) { snprintf(webfilename, FILENAME_MAX+1, "%s/index.html", filename); return mysendfile(w, webfilename); -- 2.39.2