[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Health-dev] [bug #58584] Various security issues for gnuhealth-control
|
From: |
Luis Falcon |
|
Subject: |
[Health-dev] [bug #58584] Various security issues for gnuhealth-control |
|
Date: |
Sat, 20 Jun 2020 10:53:31 -0400 (EDT) |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0 |
Update of bug #58584 (project health):
Severity: 4 - Important => 3 - Normal
Status: None => Fixed
Assigned to: None => meanmicio
Open/Closed: Open => Closed
Release: None => 3.6.0
_______________________________________________________
Follow-up Comment #1:
Dear all
I have submitted some patches for GNU Health control, including some
recommendations from openSUSE security assessment.
Some notes that you might want to consider for the openSUSE version of
the GH control center:
* Keep in mind that the standard GNU Health installation uses a non-privileged
user ("gnuhealth"), so we don't use /var/run, /var/log, or any system
directory. In addition, all Python dependencies are also installed locally,
under $HOME/.local)
* The GNU Health update directory is static because we need to be able to have
the latest update in case of issues and take it from there. So running in a
pseudo-random directory or the use of mktemp is not suitable for this
scenario.
* To avoid some user in the same server creating a file with the same location
and name, thus preventing from running the backup, the new GNU Health control
will create the temporary lock and info files in the gnuhealth HOME directory,
so only the gnuhealth administrator will be able to access those files.
* We are using the mktemp with the prefix directory (/tmp) included (mktemp -d
/tmp/gnuhealth-XXXX) . This makes it compatible with FreeBSD.
* Please use mktemp and assign it to a local variable in the "getlang"
function scope. There is no need to create the directory in contexts other
than installation of a particular language.
* Finally, we now delete the temporary directory after language
installation process, regardless of the exit status.
The revision is at :
https://hg.savannah.gnu.org/hgweb/health/rev/a56e504fc120
And the GH 3.6.4 raw file:
https://hg.savannah.gnu.org/hgweb/health/raw-file/a56e504fc120/tryton/gnuhealth-control
Thank you again for your time and very valuable recommendations!
PS. @Axel: The file that you have uploaded only changes http by https. I think
you uploaded the wrong file.
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?58584>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/