[Swift-commit] r4051 - in SwiftApps/SwiftR/Swift: R exec

noreply at svn.ci.uchicago.edu noreply at svn.ci.uchicago.edu
Wed Feb 2 11:36:20 CST 2011 

Author: tga
Date: 2011-02-02 11:36:20 -0600 (Wed, 02 Feb 2011)
New Revision: 4051

Modified:
   SwiftApps/SwiftR/Swift/R/Swift.R
   SwiftApps/SwiftR/Swift/exec/EvalRBatchPersistent.sh
   SwiftApps/SwiftR/Swift/exec/start-swift
Log:
Security fix: made sure that all of the temporary files created by various components of SwiftR are only readable/writeable by current user.


Modified: SwiftApps/SwiftR/Swift/R/Swift.R
===================================================================
--- SwiftApps/SwiftR/Swift/R/Swift.R	2011-02-02 16:50:13 UTC (rev 4050)
+++ SwiftApps/SwiftR/Swift/R/Swift.R	2011-02-02 17:36:20 UTC (rev 4051)
@@ -1,3 +1,8 @@
+# Modes for directories and files created by SwiftR
+# We only give permissions to the current user.
+kDIR_MODE <- "700"
+kFILE_MODE <- "600"
+
 swiftapply <- function( func, arglists,
                         server=NULL,
                         callsperbatch=NULL,
@@ -110,7 +115,8 @@
   }
   else {
     requestdirbase = sprintf("%s/%s/SwiftR/requests.P%.5d",tmpdir,user,Sys.getpid())
-    dir.create(requestdirbase,recursive=TRUE,showWarnings=FALSE)
+    dir.create(requestdirbase,recursive=TRUE,showWarnings=FALSE, 
+            mode=kDIR_MODE)
     options(swift.requestdirbase=requestdirbase)
     requestid = 0;
   }
@@ -119,7 +125,7 @@
   # Execute the calls in batches
 
   reqdir = sprintf("%s/R%.7d",requestdirbase,requestid)
-  dir.create(reqdir,recursive=TRUE,showWarnings=FALSE)
+  dir.create(reqdir,recursive=TRUE,showWarnings=FALSE,mode=kDIR_MODE)
   if (! quiet) {
       cat("Swift request is in",reqdir,"\n")
   }  

Modified: SwiftApps/SwiftR/Swift/exec/EvalRBatchPersistent.sh
===================================================================
--- SwiftApps/SwiftR/Swift/exec/EvalRBatchPersistent.sh	2011-02-02 16:50:13 UTC (rev 4050)
+++ SwiftApps/SwiftR/Swift/exec/EvalRBatchPersistent.sh	2011-02-02 17:36:20 UTC (rev 4051)
@@ -3,6 +3,11 @@
 # Arguments: inputBatchSaveFile outputBatchSaveFile
 #   bash @shellscript @RServerScript @rcall @result stdout=@stout stderr=@sterr;
 
+# Set restrictive umask for duration of script
+# This value prevents any other users from reading
+# or writing
+umask "077"
+
 #if [ $# != 4 ]; then
 if [ $# != 3 ]; then
   echo $0: expecting 4 arguments, got $#: $* 1>&2

Modified: SwiftApps/SwiftR/Swift/exec/start-swift
===================================================================
--- SwiftApps/SwiftR/Swift/exec/start-swift	2011-02-02 16:50:13 UTC (rev 4050)
+++ SwiftApps/SwiftR/Swift/exec/start-swift	2011-02-02 17:36:20 UTC (rev 4051)
@@ -4,6 +4,10 @@
 
 export TRAPEVENTS="EXIT 1 2 3 15"  # Signals and conditions to trap
 
+# Set the umask to prevent any access by other users:
+# there is no reason why any other user should need to look at
+# the temporary files, etc that we create 
+umask 077
 
 
 # Define internal functions

More information about the Swift-commit mailing list