-
Notifications
You must be signed in to change notification settings - Fork 9.4k
Open
Labels
Area: SecurityComponent: ComposerIssue: ConfirmedGate 3 Passed. Manual verification of the issue completed. Issue is confirmedGate 3 Passed. Manual verification of the issue completed. Issue is confirmedPriority: P3May be fixed according to the position in the backlog.May be fixed according to the position in the backlog.Progress: ready for groomingReproduced on 2.4.xThe issue has been reproduced on latest 2.4-develop branchThe issue has been reproduced on latest 2.4-develop branch
Description
I believe that there is a problem with the permissions set by many modules.
I checked some of our productions platform this morning and they all have this permission problem.
And setting the permissions with the find command as documented will only fix the group permissions, not the permissions for other users.
Preconditions
- magento 2.3.4 composer installation
Steps to reproduce
- Check that you umask is correct, otherwise set it to distribution default:
$ umask
0002
$ umask 0002 - composer create-project --repository-url=https://repo.magento.com/ magento/project-community-edition
Expected result
- No file should be world writable. The following command in the project should return no result:
find -perm -o+w -not -type l
Actual result
- $ find -perm -o+w -not -type l | wc -l
45415
Sample file with wrong permissions:
-rw-rw-rw- 1 x2i www-data 1370 Feb 4 10:28 vendor/magento/magento2-base/index.php
Sample file with good permissions:
-rw-r--r-- 1 x2i www-data 2378 Feb 4 2020 .vendor/magento/zendframework1/library/Zend/Date/DateObject.php
Metadata
Metadata
Assignees
Labels
Area: SecurityComponent: ComposerIssue: ConfirmedGate 3 Passed. Manual verification of the issue completed. Issue is confirmedGate 3 Passed. Manual verification of the issue completed. Issue is confirmedPriority: P3May be fixed according to the position in the backlog.May be fixed according to the position in the backlog.Progress: ready for groomingReproduced on 2.4.xThe issue has been reproduced on latest 2.4-develop branchThe issue has been reproduced on latest 2.4-develop branch