OJS v3.3.0-10 – some submitted files in $files_dir/journals are world-writable

odkr · April 25, 2022, 12:11pm

Description of issue or problem I’m having:

Our nightly system check discovered world-writable files in $files_dir/journals, namely:

4/articles/337
4/articles/339
4/articles/336
4/articles/342
4/articles/338

Steps I took leading up to the issue:

None we are aware of.

What I tried to resolve the issue:

I checked the umask setting in config.inc.php, but it is “0022”.

Application Version:

OJS: v3.3.0-10 running on a Debian v11.3 (“bullseye”) LAMP system, using

Linux v5.10.0-9
Apache v2.4.53
PHP (fpm-fcgi) v7.4.28
MariaDB v15.1

Additional information, such as screenshots and error log messages if applicable:

There are other submissions, which have been created earlier than the offending ones, and the permissions of these are correct (i.e., user and group “ojs” and mode 0644).
The issue appears to be similar to https://forum.pkp.sfu.ca/t/ojs-v3-3-0-8-creates-world-writable-log-files-in-files-dir-scheduledtasklogs/71980.

Thanks for looking into this!

Lara_M · May 13, 2022, 11:03am

Same issue here. Another thing: if I chane the UMASK setting in config.inc.php it doesn’t seem to work.

I want this permission

660 (rw-rw----) 770 (rwxrwx—)

And the umask to be set is 007, but even if I set it, the files in the dir_files are 777/666.

This is a real security issue, I think.

Lara_M · May 17, 2022, 3:58pm

I also modified the UMASK server-side both in /etc/login.defs and /etc/apache2/envvars. Doesn’t work either.

asmecher · May 17, 2022, 6:01pm

Hi all,

I’ve filed this for review/fixing here:

github.com/pkp/pkp-lib

Ensure umask is respected in file creation

opened 06:01PM - 17 May 22 UTC

asmecher

Bug:2:Moderate Housekeeping:2:Urgent

**Describe the bug** From https://forum.pkp.sfu.ca/t/ojs-v3-3-0-10-some-submitt…ed-files-in-files-dir-journals-are-world-writable/72969: > Our nightly system check discovered world-writable files in $files_dir/journals, namely: > > 4/articles/337 > 4/articles/339 > 4/articles/336 > 4/articles/342 > 4/articles/338 > I checked the umask setting in config.inc.php, but it is “0022”. **What application are you using?** OJS, OMP or OPS version 3.3.0-x (reproduced on 3.3.0-10)

Please consider testing the submitted patch; additional data points would be helpful!

Regards,
Alec Smecher
Public Knowledge Project Team

odkr · June 2, 2022, 9:16am

Thank you! I have been on vacation but will take a look at it right away!

odkr · June 2, 2022, 9:51am

The patch does not resolve the issue. I’ve just applied the patch, restarted Apache and the PHP FPM, and submitted a file for testing. And the directory that has been created for the submission is still world-writable.

asmecher · June 3, 2022, 6:37pm

Hi @odkr,

Is this a directory that was already created before you submitted a new file? If it’s just a new file you submitted, rather than a whole new submission, it’s likely that the directory had already been created before you applied the patch.

Regards,
Alec Smecher
Public Knowledge Project Team

odkr · June 7, 2022, 8:44am

Good point! I’m not sure why that directory should have existed, but after starting over in order to retrace my steps, the issue now appears to be fixed. Thanks a lot!