|
| 1 | +# node_package 3.0.0 |
| 2 | +## Security Improvements |
| 3 | +### Introduction |
| 4 | +### Security Advisory dated March 1, 2016 |
| 5 | +It was [recently reported](http://docs.basho.com/riak/latest/community/product-advisories/codeinjectioninitfiles/) that, if a user could gain access to the `riak` user (or, in node_package parlance, the `package_install_user`), that use would then have write access to init scripts that are generally run as `root`, exposing an escalation of privileges attack where said use could then get the `root` user to execute a script that could allow the original user to become `root` on the system. |
| 6 | + |
| 7 | +### Additional Security Review |
| 8 | + |
| 9 | +After the security advisory was initially released, a more through review of all of the `node_package`-generated packages was conducted. This review found some additional cases of files or directories owned by the `package_install_user` or `package_install_group` that could also potentially allow a user with access to run in the context of that user to overwrite files that may later be executed by `root`. This release of `node_package` has significantly tightened the ownership and permissions of files installed, in most cases following the target systems' conventions (`root:root`, `root:bin`, `root:wheel`) for all files that are executable or could be executed, including library files that the packaged application may read. |
| 10 | +The [node_package](https://github.com/basho/node_package) library is used to build deployable packages for Erlang applications that target many operating systems. Node_package supports building installation packages for: |
| 11 | + |
| 12 | +- Redhat / Fedora and variants |
| 13 | +- Debian / Ubuntu and variants |
| 14 | +- FreeBSD |
| 15 | +- OSX |
| 16 | +- SmartOS |
| 17 | +- Solaris |
| 18 | + |
| 19 | +### TL;DR - What should I do? |
| 20 | + |
| 21 | +#### You're a user updating a system (like Riak) installed by node_package: |
| 22 | + |
| 23 | +When upgrading from an older version of a system like Riak that uses node_package for installation, you may need to verify the following (note, the examples will be for a Centos 7-based Linux installation of Riak, but should illustrate the required checks for most OSes and similar packages): |
| 24 | + |
| 25 | +- Validate permissions on existing directories and make them owned by root:root (or the appropriate user/group for your operating system) and not writable by the package_install_user/group. For this example, we will list the specific directories for the Centos 7 install, and then their `node_package` template names in parenthesis afterward. Directories and files include: |
| 26 | + - /usr/lib64/riak (`platform_lib_dir`) |
| 27 | + - /etc/riak (`platform_etc_dir`) |
| 28 | + - /usr/bin (`platform_bin_dir`), specifically |
| 29 | + - riak |
| 30 | + - riak-admin |
| 31 | + - riak-debug |
| 32 | + - riak-repl |
| 33 | + - search-cmd |
| 34 | + - /etc/init.d/riak (`platform_etc_dir`/init.d/`package_install_name`) |
| 35 | +- Validate the home directory of the `platform_install_user` user is set to the `platform_data_dir`, in the case of Riak on Centos 7 this should be the `riak` user and the `/var/lib/riak` directory, and not `/usr/lib64/riak`. If necessary, change the home directory of the `riak` (`package_install_user`) user to point to `/var/lib/riak` (`platform_data_dir`). |
| 36 | + |
| 37 | +#### You're an application maintainer that uses node_package to produce packages for your application: |
| 38 | + |
| 39 | +Please upgrade to version 3.0.0 of node_package and test your packaging/install process carefully. If you were depending on the writability of directories outside of the `platform_data_dir` you may need to adjust your application to store writable files in `platform_data_dir` rather than some other directory, like `package_root_dir`. |
| 40 | + |
| 41 | +Additionally, the home directory of the `package_install_user` has been normalized across platforms to be the `platform_data_dir`. If you somehow depended on the home directory to be set to `platform_base_dir` make appropriate changes to ensure your application can handle the change in home directory. |
| 42 | + |
| 43 | +### Changes in version 3.0.0 |
| 44 | +#### File Ownership/Permissions |
| 45 | +In all cases, the only files installed as owned by `package_install_user:package_install_group` are now files to which the packaged application needs to write. These files/directories include data directories and log directories. All other files/directories installed by `node_package`-packaged systems should now be owned by the appropriate `root` account and group for the target operating system. |
| 46 | + |
| 47 | +#### Home directory of `package_install_user` |
| 48 | +In some cases, the home directory of the created `package_install_user` was set to a directory that is now not writable by that user (often the `package_base_dir`). In all cases, we have standardized on using the `platform_data_dir` for the home directory of the `package_install_user`. This may cause issues on upgrades, as the user in that case won't be updated (since it already exists) but post-install scripts may now ensure that the directory set as the `package_install_user`'s home directory is owned by the appropriate root user/group. This will manifest itself as start/stop scripts, ping, etc. failing to be able to write to a file called `.erlang.cookie` in that directory. In order to resolve this issue, please use your operating system's `usermod` or similar utility to change the home directory of the user to match the `platform_data_dir` of the installed application. |
| 49 | + |
| 50 | +### Details of the changes: |
| 51 | +To view the individual changes to install package instructions, please see [this PR ](https://github.com/basho/node_package/pull/196). As always, if you have seen or find any additional issues that may raise security concerns, please email [[email protected]](mailto:[email protected]). |
0 commit comments