Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: improve security documentation #311

Open
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

n0toose
Copy link
Contributor

@n0toose n0toose commented Nov 17, 2024

Minor wording fixes. Increases visibility of Builder::permissions,
the NamedTempFile Security documentation and
env::override_temp_dir.

Partially addresses #303.

Minor wording fixes. Increases visibility of `Builder::permissions`,
the `NamedTempFile` Security documentation and
`env::override_temp_dir`.

Partially addresses Stebalien#303.
@n0toose
Copy link
Contributor Author

n0toose commented Nov 17, 2024

I tried to avoid rewriting the text, give specific instructions in the first page of the documentation (so that they won't be implemented without nuance) and instead opted for pointing people to the right parts of the documentation - where we have enough space to explain everything precisely - and an external resource that explains the problem to the user.

Every use case is different, and figuring out the security aspects should be the user's responsibility - accidentally misleading the user is not very worth it.

@n0toose
Copy link
Contributor Author

n0toose commented Nov 17, 2024

This also fixes an unfortunate cargo fmt problem from my previous PR.

Copy link
Owner

@Stebalien Stebalien left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

src/lib.rs Outdated Show resolved Hide resolved
src/lib.rs Outdated
//! operating systems and depending on your use case, it may be possible to
//! mitigate this issue by overriding the crate's default options. For more information,
//! consult the Security documentation of the [`NamedTempFile`] type,
//! [`Builder::permissions`] and [`env::override_temp_dir`].
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: Builder::permissions is relevant for Builder::tempdir, but not for Builder::tempfile (NamedTempFile) because:

  1. Changing the permissions of the file won't stop temporary file cleaners (the main issue).
  2. The permissions default to 0600.

However, setting the permissions is an important security consideration for temporary directories, so that should probably be called out.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The permissions default to 0600.

I presume that this is not the case on Windows (with an equivalent permission)? I sent a revised version.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Either way, it would be interesting to document that so that people know how to work around that if necessary in the meantime (e.g. using /tmp on Linux, but using a custom directory with specific permissions on Windows) and to allow room for a contribution that fixes the need for such a workaround to be made.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I presume that this is not the case on Windows (with an equivalent permission)? I sent a revised version.

IIRC, windows already defaults to per-user temporary directories with restricted permissions.

Either way, it would be interesting to document that so that people know how to work around that if necessary in the meantime (e.g. using /tmp on Linux, but using a custom directory with specific permissions on Windows) and to allow room for a contribution that fixes the need for such a workaround to be made.

The issue discussed above is about pathological temporary file cleaners. Builder::permissions does not mitigate this issue and I don't want users to think it might.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for clarifying. I think I did not really see the forest for the trees. I'll revise my change again for increased clarity.

a temporary file cleaner could delete the temporary file which an attacker could then replace.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I changed the wording re: "predictable file names" without explicitly explaining the problem. I chose to link to the affected / relevant functions instead.

@n0toose n0toose requested a review from Stebalien November 19, 2024 18:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants