Fallback Permission Changes To openat + chmod To Support Older Kernels#326
Open
NotGeri wants to merge 1 commit into
Open
Fallback Permission Changes To openat + chmod To Support Older Kernels#326NotGeri wants to merge 1 commit into
NotGeri wants to merge 1 commit into
Conversation
Contributor
|
hey thanks for contributing! I'll review this at the end of my day |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
dba5831 introduced a fix for TOCTOU attacks with
AT_SYMLINK_NOFOLLOW, which is only available in thefchmodat2syscall, only supported on kernel 6.6+.This causes legitimate non-symlink-related permission updates to fail with
operation not supportedwhen users attempt to use the 'Permissions' button in the 'File Manager' tab or just have their SFTP client sendSetstat, which most modern desktop SFTP clients do by defaultThere are countless LTS server operating systems affected by this, including various LTS Debian, Ubuntu and especially RHEL versions, all supported by the daemon in theory: https://pterodactyl.io/wings/1.0/installing.html
This was briefly discussed here :
The simplest fix appeared to use the existing
openedatinfrastructure andunix#Fchmodthe safe file descriptor directly, but I'm open to any other suggestions. The PR also resolves a minor FD leak fromopenat, but I'm happy to split that out if it's preferredI have tested this on various supported Debian and Ubuntu versions, and everything appeared to work just fine. I have not tested RHEL-based distros