Security hardening: permissions, path validation, script execution #28

Merged

qwc merged 3 commits from security/hardening into main 2026-02-02 14:09:19 +01:00

Conversation 0 Commits 3 Files changed 7 +353 -20

qwc commented 2026-02-02 13:56:25 +01:00

Owner

Copy link

Summary

Comprehensive security hardening addressing issues #1, #2, #3, #4, and #5.

Commits

1. Restrict event socket permissions and safe type assertions (closes #1, #5)

   • Unix socket permissions: 0660 instead of default
   • Safe type assertions with comma-ok pattern in event processing
   • 64 KiB message size limit on socket reads

2. Restrict file permissions for logs and database (closes #4)

   • Log files: 0640 (was 0666)
   • Database file: 0600 (was 0644)

3. Harden script execution and validate paths (closes #2, #3)

   • Script path validation: must be absolute, regular file, not symlink, not world-writable
   • ExeUser validation: must exist on system, cannot be root
   • Safe type assertions in ScriptPath switch and Runs.Load() to prevent panics
   • Device name/UUID path component validation to prevent path traversal
   • Config settings path validation (must be absolute)
   • targetPath sanitization with filepath.Clean

Tests added

• TestValidateScriptPath — absolute, regular file, world-writable, symlink checks
• TestValidateExeUser — root rejection, valid user, non-existent user
• TestRunScriptPathTypeAssertions — non-string elements, unexpected types, empty paths
• TestValidatePathComponent — path traversal, separators, empty values
• TestMountPathTraversal — mount with traversal in name/UUID

Coverage increased from ~57% to ~68%.

Closes #1, closes #2, closes #3, closes #4, closes #5

## Summary Comprehensive security hardening addressing issues #1, #2, #3, #4, and #5. ### Commits 1. **Restrict event socket permissions and safe type assertions** (closes #1, #5) - Unix socket permissions: `0660` instead of default - Safe type assertions with comma-ok pattern in event processing - 64 KiB message size limit on socket reads 2. **Restrict file permissions for logs and database** (closes #4) - Log files: `0640` (was `0666`) - Database file: `0600` (was `0644`) 3. **Harden script execution and validate paths** (closes #2, #3) - Script path validation: must be absolute, regular file, not symlink, not world-writable - ExeUser validation: must exist on system, cannot be `root` - Safe type assertions in `ScriptPath` switch and `Runs.Load()` to prevent panics - Device name/UUID path component validation to prevent path traversal - Config settings path validation (must be absolute) - `targetPath` sanitization with `filepath.Clean` ### Tests added - `TestValidateScriptPath` — absolute, regular file, world-writable, symlink checks - `TestValidateExeUser` — root rejection, valid user, non-existent user - `TestRunScriptPathTypeAssertions` — non-string elements, unexpected types, empty paths - `TestValidatePathComponent` — path traversal, separators, empty values - `TestMountPathTraversal` — mount with traversal in name/UUID Coverage increased from ~57% to ~68%. Closes #1, closes #2, closes #3, closes #4, closes #5

qwc added 3 commits 2026-02-02 13:56:25 +01:00

Security: restrict event socket permissions and add safe type assertions ... 589ad1ea85

events.go:
- Set socket permissions to 0660 after net.Listen (was default 0777)
- Use comma-ok pattern for message["data"] and value type assertions
  to prevent panics on malformed input
- Add 64 KiB message size limit to prevent memory exhaustion from
  oversized socket messages

Closes #1
Closes #5

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Security: restrict file permissions for logs and database ... c34ed20e23

- backup.go: log files 0666 → 0640 (owner rw, group read)
- database.go: database file 0644 → 0600 (owner only)

Closes #4

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Security: harden script execution and validate paths ... 291699849b

- Validate script paths: must be absolute, regular file, not symlink,
  not world-writable
- Validate ExeUser: must exist on system, cannot be root
- Safe type assertions in ScriptPath switch and Runs.Load() to prevent
  panics from malformed data
- Validate device name/UUID path components to prevent path traversal
- Validate config settings paths are absolute
- Sanitize targetPath with filepath.Clean before use
- Add comprehensive tests for all new validation functions

Closes #2, closes #3

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

qwc merged commit 3bea4a1111 into main 2026-02-02 14:09:19 +01:00

qwc deleted branch security/hardening 2026-02-02 14:09:19 +01:00

qwc referenced this pull request from a commit 2026-02-02 14:09:20 +01:00

Merge pull request 'Security hardening: permissions, path validation, script execution' (#28) from security/hardening into main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

Compat/Breaking

Breaking change that won't be backward compatible

  

Kind/Bug

Something is not working

  

Kind/Documentation

Documentation changes

  

Kind/Enhancement

Improve existing functionality

  

Kind/Feature

New functionality

  

Kind/Security

This is security issue

  

Kind/Testing

Issue or pull request related to testing

  

Priority

Critical

The priority is critical

  

Priority

High

The priority is high

  

Priority

Low

The priority is low

  

Priority

Medium

The priority is medium

  

Reviewed

Confirmed

Issue has been confirmed

  

Reviewed

Duplicate

This issue or pull request already exists

  

Reviewed

Invalid

Invalid issue

  

Reviewed

Won't Fix

This issue won't be fixed

  

Status

Abandoned

Somebody has started to work on this but abandoned work

  

Status

Blocked

Something is blocking this issue or pull request

  

Status

Need More Info

Feedback is required to reproduce issue or to continue work

No labels

Compat/Breaking

Kind/Bug

Kind/Documentation

Kind/Enhancement

Kind/Feature

Kind/Security

Kind/Testing

Priority

Critical

Priority

High

Priority

Low

Priority

Medium

Reviewed

Confirmed

Reviewed

Duplicate

Reviewed

Invalid

Reviewed

Won't Fix

Status

Abandoned

Status

Blocked

Status

Need More Info

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

qwc-open/backive!28

No description provided.