FS#56962 : [browserify] world writable directories in /usr/lib/node

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#56962 - [browserify] world writable directories in /usr/lib/node_modules/

Attached to Project: Community Packages
Opened by BrLi (brli) - Friday, 05 January 2018, 08:16 GMT
Last edited by Levente Polyak (anthraxx) - Friday, 12 January 2018, 12:45 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Felix Yan (felixonmars) Levente Polyak (anthraxx)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	1 Thom Wiggers (twiggers) (2018-01-07)
Private	No

Details

Description:

directory is global writable (777)

Additional info:
* package version(s) 15.0.0-1
* config and/or log files etc.

Steps to reproduce:

pacman -Syu from prior version pops the warning about different permission between package(777) and filesystem(which is 755)

This task depends upon

Closed by Levente Polyak (anthraxx)
Friday, 12 January 2018, 12:45 GMT
Reason for closing: Fixed
Additional comments about closing: 15.1.0-2

Comments (4)
Related Tasks (0/0)

Comment by Doug Newgard (Scimmia) - Friday, 05 January 2018, 08:21 GMT

What directory? Updating from what version? Since we don't know what dir, are you sure this isn't correct?

Comment by Eli Schwartz (eschwartz) - Friday, 05 January 2018, 13:59 GMT

Field changed: Status (Unconfirmed → Assigned)

There is a nondeterministic race in npm that leads to the node_modules directory having 777, all nodejs modules should really use the following in package:

find "$pkgdir/usr" -type d -exec chmod 755 '{}' +

Seriously, just bsdtar -xvf browserify-15.0.0-1-any.pkg.tar.xz and look at all those world-writable directories, taking a list would be kind of awkward. ;)

Comment by BrLi (brli) - Friday, 05 January 2018, 17:04 GMT

@Scimmia: sorry for not clear enough, "the prior version" means the last svn(git?) commit before this version(15.0.0), aka. 14.5.0
(if https://git.archlinux.org/svntogit/community.git/log/trunk?h=packages/browserify tells the right history :D)

And, thanks @eschwartz for pointing this nodejs problem out.

Comment by Thom Wiggers (twiggers) - Friday, 12 January 2018, 08:35 GMT

This still happens in 15.1.

Additionally, this should be considered a security issue, as I can do the following to attack people on shared machines:

1. Note that /usr/lib/node_modules/browserify is 777
2. mv /usr/lib/node_modules/bin{,2}
3. cp -r /usr/lib/node_modules/{bin2,bin}
4. Insert `mail-.ssh-to-thom()` and `rm -rf $HOME` into /usr/lib/node_modules/browserify/bin/cmd.js
5. Wait for them to run browserify.

I don't think this attack is limited to the `bin/` folder: you may also insert malicious code into any of the libraries included.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

Community Packages

FS#56962 - [browserify] world writable directories in /usr/lib/node_modules/

Details

Loading...