summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/spack/spack/test/permissions.py24
-rw-r--r--lib/spack/spack/util/file_permissions.py17
2 files changed, 35 insertions, 6 deletions
diff --git a/lib/spack/spack/test/permissions.py b/lib/spack/spack/test/permissions.py
index fa83eb37ff..26974c8096 100644
--- a/lib/spack/spack/test/permissions.py
+++ b/lib/spack/spack/test/permissions.py
@@ -27,9 +27,29 @@ def test_chmod_real_entries_ignores_suid_sgid(tmpdir):
def test_chmod_rejects_group_writable_suid(tmpdir):
path = str(tmpdir.join('file').ensure())
- mode = stat.S_ISUID | stat.S_ISGID | stat.S_ISVTX
+ mode = stat.S_ISUID
+ fs.chmod_x(path, mode)
+
+ perms = stat.S_IWGRP
+ with pytest.raises(InvalidPermissionsError):
+ set_permissions(path, perms)
+
+
+def test_chmod_rejects_world_writable_suid(tmpdir):
+ path = str(tmpdir.join('file').ensure())
+ mode = stat.S_ISUID
+ fs.chmod_x(path, mode)
+
+ perms = stat.S_IWOTH
+ with pytest.raises(InvalidPermissionsError):
+ set_permissions(path, perms)
+
+
+def test_chmod_rejects_world_writable_sgid(tmpdir):
+ path = str(tmpdir.join('file').ensure())
+ mode = stat.S_ISGID
fs.chmod_x(path, mode)
- perms = stat.S_IRWXU | stat.S_IRWXG | stat.S_IRWXO
+ perms = stat.S_IWOTH
with pytest.raises(InvalidPermissionsError):
set_permissions(path, perms)
diff --git a/lib/spack/spack/util/file_permissions.py b/lib/spack/spack/util/file_permissions.py
index d94b74f51e..b133d2569e 100644
--- a/lib/spack/spack/util/file_permissions.py
+++ b/lib/spack/spack/util/file_permissions.py
@@ -25,10 +25,19 @@ def set_permissions(path, perms, group=None):
# Preserve higher-order bits of file permissions
perms |= os.stat(path).st_mode & (st.S_ISUID | st.S_ISGID | st.S_ISVTX)
- # Do not let users create world writable suid binaries
- if perms & st.S_ISUID and perms & st.S_IWGRP:
- raise InvalidPermissionsError(
- "Attepting to set suid with world writable")
+ # Do not let users create world/group writable suid binaries
+ if perms & st.S_ISUID:
+ if perms & st.S_IWOTH:
+ raise InvalidPermissionsError(
+ "Attempting to set suid with world writable")
+ if perms & st.S_IWGRP:
+ raise InvalidPermissionsError(
+ "Attempting to set suid with group writable")
+ # Or world writable sgid binaries
+ if perms & st.S_ISGID:
+ if perms & st.S_IWOTH:
+ raise InvalidPermissionsError(
+ "Attempting to set sgid with world writable")
fs.chmod_x(path, perms)