Skip to content

permission: fix chmod,chown,link, and lutimes#47529

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nodejs-github-bot merged 1 commit into from
Apr 13, 2023
Merged

permission: fix chmod,chown,link, and lutimes #47529

nodejs-github-bot merged 1 commit into from
Apr 13, 2023

Conversation

@RafaelGSS
Copy link
Member

@RafaelGSSRafaelGSS commented Apr 12, 2023
edited
Loading

fs.chmod, fs.chown, fs.link , and fs.lutimes wasn't handled properly by the permission model. This PR fixes it and increase the coverage of all file system API using permission model
cc: @nodejs/security-wg

@nodejs-github-botnodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. fs Issues and PRs related to the fs subsystem / file system. needs-ci PRs that need a full CI run. labels Apr 12, 2023
@RafaelGSSRafaelGSS added the request-ci Add this label to start a Jenkins CI on a PR. label Apr 12, 2023
@github-actionsgithub-actionsbot removed the request-ci Add this label to start a Jenkins CI on a PR. label Apr 12, 2023
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Apr 12, 2023

CI: https://ci.nodejs.org/job/node-test-pull-request/51169/

marco-ippolito
marco-ippolito approved these changes Apr 12, 2023
View reviewed changes
Copy link
Member

@marco-ippolitomarco-ippolito left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@github-actionsgithub-actionsbot mentioned this pull request Apr 13, 2023
Open
36 tasks
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Apr 13, 2023

CI: https://ci.nodejs.org/job/node-test-pull-request/51180/

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Apr 13, 2023

CI: https://ci.nodejs.org/job/node-test-pull-request/51199/

@RafaelGSSRafaelGSS added the fast-track PRs that do not need to wait for 48 hours to land. label Apr 13, 2023
@github-actions
Copy link
Contributor

github-actionsbot commented Apr 13, 2023

Fast-track has been requested by @RafaelGSS. Please 👍 to approve.

@RafaelGSS
Copy link
MemberAuthor

RafaelGSS commented Apr 13, 2023

I need to include it on v20.0.0 proposal for security reasons.

tniessen
tniessen reviewed Apr 13, 2023
View reviewed changes
Copy link
Member

@tniessentniessen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The title and description only mention chmod and chown, but based on the diff, it looks like there are also issues with link and lutimes.

@tniessentniessen added the security Issues and PRs related to security. label Apr 13, 2023
@RafaelGSSRafaelGSS changed the title permission: fix chmod,chown improve fs coveragepermission: fix chmod,chown,link, and lutimesApr 13, 2023
@tniessen
Copy link
Member

tniessen commented Apr 13, 2023

I need to include it on v20.0.0 proposal for security reasons.

We've previously delayed releasing the permission model whenever a new vulnerability was found. #44004 (comment) suggested a "a baking-time of 1 release for this feature (after landing all the patches)". It's not semver-major so we could land it in 20.1.0 instead, but I assume that's not really an option because 20.x is picking up everything from the main branch.

@RafaelGSS
Copy link
MemberAuthor

RafaelGSS commented Apr 13, 2023

I need to include it on v20.0.0 proposal for security reasons.

We've previously delayed releasing the permission model whenever a new vulnerability was found. #44004 (comment) suggested a "a baking-time of 1 release for this feature (after landing all the patches)". It's not semver-major so we could land it in 20.1.0 instead, but I assume that's not really an option because 20.x is picking up everything from the main branch.

To not land it on v20.x we would need a revert PR to all affected PRs, which I'm not considering as an option for now.

@RafaelGSSRafaelGSS added the commit-queue Add this label to land a pull request using GitHub Actions. label Apr 13, 2023
@nodejs-github-botnodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Apr 13, 2023
@nodejs-github-botnodejs-github-bot merged commit 1323992 into nodejs:mainApr 13, 2023
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Apr 13, 2023

Landed in 1323992

RafaelGSS added a commit that referenced this pull request Apr 13, 2023
@RafaelGSS
permission: fix chmod,chown improve fs coverage
3b04efd
Signed-off-by: RafaelGSS <[email protected]> PR-URL: #47529 Reviewed-By: Benjamin Gruenbaum <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
RafaelGSS added a commit that referenced this pull request Apr 13, 2023
@RafaelGSS
permission: fix chmod,chown improve fs coverage
1dfdd6f
Signed-off-by: RafaelGSS <[email protected]> PR-URL: #47529 Reviewed-By: Benjamin Gruenbaum <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
@RafaelGSSRafaelGSS mentioned this pull request Apr 13, 2023
Merged
RafaelGSS added a commit that referenced this pull request Apr 13, 2023
@RafaelGSS
permission: fix chmod,chown improve fs coverage
8bcf0a4
Signed-off-by: RafaelGSS <[email protected]> PR-URL: #47529 Reviewed-By: Benjamin Gruenbaum <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
@github-actionsgithub-actionsbot mentioned this pull request Apr 15, 2023
Open
33 tasks
@tniessentniessen added the permission Issues and PRs related to the Permission Model label Aug 10, 2023
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tniessentniessentniessen left review comments

@benjamingrbenjamingrbenjamingr approved these changes

@marco-ippolitomarco-ippolitomarco-ippolito approved these changes

Assignees

No one assigned

Labels

c++Issues and PRs that require attention from people who are familiar with C++.fast-trackPRs that do not need to wait for 48 hours to land.fsIssues and PRs related to the fs subsystem / file system.needs-ciPRs that need a full CI run.permissionIssues and PRs related to the Permission ModelsecurityIssues and PRs related to security.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@RafaelGSS@nodejs-github-bot@tniessen@benjamingr@marco-ippolito@danielleadams