fix(security): restrict biometric model file permissions to root-only#1106
Open
RedEye1605 wants to merge 1 commit into
Open
fix(security): restrict biometric model file permissions to root-only#1106RedEye1605 wants to merge 1 commit into
RedEye1605 wants to merge 1 commit into
Conversation
Face model files (.dat) in /etc/howdy/models contain sensitive biometric data (face embedding vectors) but are created with world-readable 644 permissions, and the models directory itself is 755. Any unprivileged user or process can read these models. Changes: - add.py: create models directory with mode 0o700, chmod model file to 0o600 after write - remove.py: maintain 0o600 permissions after rewriting model file - postinst: chmod existing models dir to 0o700 and all .dat files to 0o600 after the broad chmod 755 on /etc/howdy This ensures only root (and the PAM stack running as root) can access biometric data, following the principle of least privilege. Closes boltgolt#1098
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I noticed that face model files are created world-readable (644) under /etc/howdy/models, which means any unprivileged user on the system can read biometric embedding vectors. This was reported in #1098.
The root cause is twofold:
os.makedirs()inadd.pydoesn't specify mode, so it inherits the default (usually 755)chmod 755 -R /etc/howdy/which explicitly makes models world-readableWhat this changes:
mode=0o700andos.chmod()the model file to0o600after writing0o600permissions after rewriting the model filechmod 755, explicitly restrict the models directory to0o700and all model files to0o600The PAM authentication stack runs as root, so this doesn't affect normal operation. Only root can now read the biometric data.
Tested on Fedora 43 with howdy-git —
howdy addcreates files with-rw-------and the directory isdrwx------.Closes #1098