Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strict permissions checking sudo handling not working in openSeaChest_firmware #161

Open
gdevenyi opened this issue Oct 16, 2024 · 3 comments
Open

Strict permissions checking sudo handling not working in openSeaChest_firmware #161

gdevenyi opened this issue Oct 16, 2024 · 3 comments

Comments

@gdevenyi
Copy link

gdevenyi commented Oct 16, 2024
edited
Loading

Following up on #158

Running the same set of testing commands, using the "testing" fixed permissions release.

  • wget
  • untar
  • download firmware file
  • unzip
sudo ./openSeaChest_Firmware -d /dev/sg0 --downloadFW firmware/MU-SAS-0008.LOD
==========================================================================================
 openSeaChest_Firmware - openSeaChest drive utilities - NVMe Enabled
 Copyright (c) 2014-2024 Seagate Technology LLC and/or its Affiliates, All Rights Reserved
 openSeaChest_Firmware Version: 4.2.0-8_0_1 X86_64
 Build Date: Oct 15 2024
 Today: 20241015T235253 User: root
==========================================================================================

/dev/sg0 - ST32000444SS - <REDACTED> - 0006 - SCSI
Couldn't open file firmware/MU-SAS-0008.LOD
vonericsen added a commit to Seagate/opensea-common that referenced this issue Oct 16, 2024
@vonericsen
feat: Adding initial Windows directory security messages
cfb7c1e 
Adding initial code to output errors about Windows directory security issues

[Seagate/openSeaChest#161]

Signed-off-by: Tyler Erickson <tyler.erickson@seagate.com>
vonericsen added a commit to Seagate/opensea-common that referenced this issue Oct 16, 2024
@vonericsen
quick: Adjusting error messages to be more information in posix secur…
ee46bc8 
…e file

Making some error messages more informative for users when a directory is not considered secure

[Seagate/openSeaChest#161]

Signed-off-by: Tyler Erickson <tyler.erickson@seagate.com>
vonericsen added a commit that referenced this issue Oct 16, 2024
@vonericsen
lib: Pulling in new error messages when file cannot be opened securely
8d77f8c 
Pulling in some new error messages that are added in the low-level code doing directory security evaluation to provide better messaging about what went wrong trying to securely open a file.

[#161]

Signed-off-by: Tyler Erickson <tyler.erickson@seagate.com>
@vonericsen
Copy link
Contributor

@gdevenyi,

Can you try this build from our CI? It enables some additional error messages about the directory security to help debug this issue further. I would like to see what error it reports in your case to figure out what I need to try doing next.

linux-x86_64-portable_error_msgs.zip

@gdevenyi
Copy link
Author

much improved feedback:

Insecure path detected: Directory (/home/gdevenyi/Downloads/openSeaChest-feature-Secure_File_Error_Improvements-linux-x86_64-portable/firmware) writable by others. Disable write permissions for groups

Couldn't open file firmware/MU-SAS-0008.LOD

How interesting, unzip running as my regular user vs root acts differently, I ran the same command unzip ConstellationES1-Muskie-SAS-StdOEM-0008.zip and the permissions of the firmware subdir are different.

$ ls -ld /root/openSeaChest-feature-Secure_File_Error_Improvements-linux-x86_64-portable/firmware/
drwxr-xr-x 2 root root 4096 Feb  5  2013 /root/openSeaChest-feature-Secure_File_Error_Improvements-linux-x86_64-portable/firmware/
$ ls -ld ~gdevenyi/Downloads/openSeaChest-feature-Secure_File_Error_Improvements-linux-x86_64-portable/firmware/
drwxrwxr-x 2 gdevenyi gdevenyi 4096 Feb  5  2013 /home/gdevenyi/Downloads/openSeaChest-feature-Secure_File_Error_Improvements-linux-x86_64-portable/firmware/

Looks to me like the umask is different between root (0002) and gdevenyi (0022), which I guess is a general feature you see in many systems.

vonericsen added a commit to Seagate/opensea-common that referenced this issue Oct 28, 2024
@vonericsen
feat: Improving secure file error messages
a5dc85f 
Further improvement to the error messages from the POSIX secure file. This will provide the user with better information about how to correct the situation and when possible this function will also provide recommendations for commands to run (chown or chmod) as necessary.

[Seagate/openSeaChest#161]

Signed-off-by: Tyler Erickson <tyler.erickson@seagate.com>
vonericsen added a commit that referenced this issue Oct 28, 2024
@vonericsen
lib: Pulling in POSIX secure file error message improvements
eb0cfe1 
[#161]

Signed-off-by: Tyler Erickson <tyler.erickson@seagate.com>
@amatus-
Copy link

amatus- commented Dec 4, 2024
edited
Loading

I have a similar problem. I compiled the latest version of OpenSeaChest from git, but the problem persists.

$ sudo ./openSeaChest_Firmware -d /dev/sg1 --downloadFW EvansBPExosX18SATA-STD-512E-SN06.LOD
==========================================================================================
 openSeaChest_Firmware - openSeaChest drive utilities - NVMe Enabled
 Copyright (c) 2014-2024 Seagate Technology LLC and/or its Affiliates, All Rights Reserved
 openSeaChest_Firmware Version: 4.2.0-8_0_1 X86_64
 Build Date: Dec  4 2024
 Today: 20241204T192839	User: root
==========================================================================================

/dev/sg1 - ST18000NM000J-2TV103 - <HIDE> - SN01 - ATA
Couldn't open file EvansBPExosX18SATA-STD-512E-SN06.LOD

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@amatus- @gdevenyi @vonericsen