Default permissions for keystore

Question

Default permissions for keystore

ya-mouse opened this issue 7 months ago · 5 comments

I just found that by default the keystore's directories are being created with 0777 (world writable!) permissions:

https://github.com/tpm2-software/tpm2-tss/blob/master/src/tss2-fapi/ifapi_helpers.c#L1082

r = create_dirs(supdir, path_list, 0777);

and being used in keystore population.

For example:

mkdir("/var/", 0777)                    = -1 EEXIST (File exists)
mkdir("/var/lib/", 0777)                = -1 EEXIST (File exists)
mkdir("/var/lib/tpm2-tss/", 0777)       = -1 EEXIST (File exists)
mkdir("/var/lib/tpm2-tss/system/", 0777) = -1 EACCES (Permission denied)

Aren't such permissions are too broad?

Answer 1 · 2024-06-11T07:45:10.000Z

The Setgid Bit is used. When the setgid (set group ID) bit is set on a directory, it affects the group ownership of newly created files and subdirectories within that directory. E.G:

ls -l /usr/local/var/lib/tpm2-tss/
total 4
drwxrwsr-x 3 tss tss 4096 Jun 10 17:33 system

Thus the created files do not have world writable permissions.

Answer 2 · 2024-06-11T12:54:53.000Z

The following applies because of umask value comes in and not because of setgid bit that affects only group ownership of the created children entries. I believe your umask is something like 0022. With zero umask:

# umask
0022
# mkdir -p 0777 /var/lib/tpm2-tss/system/a
# stat /var/lib/tpm2-tss/system/a
  File: /var/lib/tpm2-tss/system/a
  Size: 0               Blocks: 0          IO Block: 4096   directory
Device: 0,27    Inode: 5255        Links: 1
Access: (2755/drwxr-sr-x)  Uid: (    0/    root)   Gid: (  982/     tss)
#
# umask 0000
#
# strace -etrace=mkdir mkdir -p 0777 /var/lib/tpm2-tss/system/b
mkdir("0777", 0777)                     = -1 EEXIST (File exists)
mkdir("/var", 0777)                     = -1 EEXIST (File exists)
mkdir("lib", 0777)                      = -1 EEXIST (File exists)
mkdir("tpm2-tss", 0777)                 = -1 EEXIST (File exists)
mkdir("system", 0777)                   = -1 EEXIST (File exists)
mkdir("b", 0777)                        = 0

# stat /var/lib/tpm2-tss/system/b
  File: /var/lib/tpm2-tss/system/b
  Size: 0               Blocks: 0          IO Block: 4096   directory
Device: 0,27    Inode: 5256        Links: 1
Access: (2777/drwxrwsrwx)  Uid: (    0/    root)   Gid: (  982/     tss)

For non-standard paths where the upper-level directories of tpm2-tss don't exist, the directory creation is governed only by the umask if running by a root user.

What was the reason to use 0777 instead of more restrictive value i.e. 0775 and do not rely on umask value? I suppose, system_dir is for objects that should be available for non-tss group users, but user_dir should be way restrictive like 0700?

Answer 3 · 2024-06-11T15:40:20.000Z

Yes that's true. Especially for the user_dir it would be better not to rely on the umask value. For the directory /var/lib/tpm2-tss/system/keystore the Setgid bit should be set.

Answer 4 · 2024-06-11T17:45:10.000Z

The issue that I've encountered as per original findings. If /var/lib/tpm2_tss is not owned by tss group and system subdir exists with proper permissions, then mkdir() will fail with EPERM under regular user process having tss supplementary group.

The permissions in the following file are supposed to be for system/keystore:
https://github.com/tpm2-software/tpm2-tss/blob/master/dist/tmpfiles.d/tpm2-tss-fapi.conf.in

From actual experience, should be on tpm2_tss.

Answer 5 · 2024-06-26T14:33:53.000Z

I'm afraid I don't understand the point. Could you maybe explain it a bit more ?