0003552: Multi-user Slicer Extension installations - Linux

ID	Project	Category	View Status	Date Submitted	Last Update

0003552	Slicer4	Core: Extensions	public	2014-01-10 06:38	2017-06-10 08:51

Reporter	bpaniagua	Assigned To	matthew-woehlke
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	Slicer 4.3.1
Target Version	Slicer 4.4.0	Fixed in Version

Summary	0003552: Multi-user Slicer Extension installations - Linux
Description	In the Imaging Ortholab in School of Dentistry UNC we are finding problems to install extensions in a multi-user Linux environment. The main issue is caused by the fact when an extension gets installed, it first downloads the package in /temp, then it unzips it in the home directory of the user. When that user logs out and another user tries to repeat the same operation, a permissions problem comes because that user is trying to re-download the same package in /temp, that belongs to the previous user and it still exists there. We have a way around it, having a script that runs at logout that deletes all /temp, but we would like to know if this would be something that could be solved. Also, another option is to restart the machine (to get /temp cleaned up), but our users in the lab might not-know/not-remember all these technicalities. Thank you so much in advance!!
Tags	No tags attached.

matthew-woehlke 2014-03-19 11:59 developer ~0011458	So... pedantically, this is a security vulnerability; the download name is predictable, which could potentially allow an attacker to overwrite the file with their own content, which is then extracted into the user's home directory. Never mind that we are littering the temporary directory with old downloads :-). Better would be to save the download to a temporary file with a guaranteed-unique name, and delete it again when done.

matthew-woehlke 2014-03-19 12:00 developer ~0011459	https://github.com/mwoehlke-kitware/Slicer/tree/3552-safe-temporary-for-extension-download changes it to work as suggested in the previous comment.

matthew-woehlke 2014-04-03 08:11 developer ~0011531	Fixed in r23041

jcfr 2014-09-17 23:01 administrator ~0012568	Closing resolved issues that have not been updated in more than 3 months.

Import 2017-06-07 23:51:09: master 1e65b561 2014-04-03 11:39:07 mwoehlke Details Diff	BUG: Use a safe temporary path for download Change extension downloading to use a temporary file for the download location. This ensures that a: we don't clutter the temporary directory with old downloads, b: multiple users can download the same extension using a shared temporary directory (e.g. most UNIX-like systems), and c: the file name is not predictable, which is a security vulnerability. Issue 0003552 git-svn-id: http://svn.slicer.org/Slicer4/trunk@23041 3bd1e089-480b-0410-8dfb-8563597acbee
	mod - Base/QTCore/qSlicerExtensionsManagerModel.cxx		Diff File

Date Modified	Username	Field	Change
2014-01-10 06:38	bpaniagua	New Issue
2014-01-10 06:38	bpaniagua	Status	new => assigned
2014-01-10 06:38	bpaniagua	Assigned To	=> jcfr
2014-03-06 11:01	jcfr	Assigned To	jcfr => matthew-woehlke
2014-03-06 11:01	jcfr	Target Version	=> Slicer 4.4.0
2014-03-19 11:59	matthew-woehlke	Note Added: 0011458
2014-03-19 12:00	matthew-woehlke	Note Added: 0011459
2014-03-19 12:00	matthew-woehlke	Status	assigned => feedback
2014-04-03 08:11	matthew-woehlke	Note Added: 0011531
2014-04-03 08:11	matthew-woehlke	Status	feedback => resolved
2014-04-03 08:11	matthew-woehlke	Resolution	open => fixed
2014-04-22 15:53	jcfr	Relationship added	has duplicate 0002923
2014-09-17 22:59	jcfr	Status	resolved => closed
2014-09-17 23:01	jcfr	Note Added: 0012568
2017-06-10 08:51		Changeset attached	=> Slicer master 1e65b561