[Mono-dev] patch for StrongName to fix minor security bug

Sebastien Pouliot sebastien.pouliot at gmail.com
Sun Nov 13 09:37:11 EST 2005


Hello Andrew,

The scripts (sn, makecert) have been updated to include 'umask 077'
before calling Mono (SVN r52948).

Thanks again :)

On Sat, 2005-11-12 at 09:57 -0500, Andrew Yates wrote:
> Hi,
> It is my understanding that the key generated by "sn -k foo.snk" is a
> private key used to sign assemblies, and should not be shared with
> anyone other than the key's owner.
> 
> If this is the case, there is a minor security bug in sn: when it
> creates the key, it creates it according to the user's umask. The
> umask for most distributions is 0022 by default, so this would create
> the file with rw-r-r (644) permissions, allowing anyone with access to
> that computer to read the key, assuming the key's parent directories
> have rwx-rx-rx (755) permissions.
> 
> The key should be created with rw - - permissions (600). Below is a
> patch which chmods the key to rw - - immediately after creating it, in
> order to prevent unauthorized users from taking it and compromising
> security.
> 
> Andrew
> 
> 
> --- sn.cs.old   2005-11-10 08:31:54.000000000 -0500
> +++ sn.cs       2005-11-12 09:32:45.000000000 -0500
> @@ -352,7 +352,14 @@
>                                                 }
>                                         }
>                                         sn = new StrongName (size);
> -                                       WriteToFile (args[i],
> CryptoConvert.ToCapiKeyBlob (sn.RSA, true));
> +                                               try {
> +                                                       WriteToFile
> (args[i], CryptoConvert.ToCapiKeyBlob (sn.RSA, true));
> +                                                      
> Mono.Unix.Native.Syscall.chmod (args[i],
> (Mono.Unix.Native.FilePermissions)0x180);
> +                                               }
> +                                               catch {
> +                                                      
> Console.WriteLine("An error occurred while creating the file '{0}'.",
> args[i]);
> +                                                       break;
> +                                               }
>                                         if (!quiet)
>                                                 Console.WriteLine ("A
> new {0} bits strong name keypair has been generated in file '{1}'.",
> size, args [i]);
>                                         break;
> _______________________________________________
> Mono-devel-list mailing list
> Mono-devel-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-devel-list
-- 
Sebastien Pouliot
email: sebastien at ximian.com
blog: http://pages.infinit.net/ctech/




More information about the Mono-devel-list mailing list