Finding and fixing wrong file permission - TWC installation

Discussions about Java virtual machine, installation, and running

Moderator: Moderators

Finding and fixing wrong file permission - TWC installation

Postby ping20 » Mon Dec 21, 2020 4:47 am

How to check for the wrong file permissions after Teamwork Cloud installation and fix the installation by changing file permissions to the correct ones
In the Teamwork Cloud installation instructions provided for 18.5 SP1, SP2, SP3, SP4, 19.0 GA, SP1, SP2, SP3, SP4 versions, we recommended using a too wide-ranged permission 777, resulting in a vulnerability in computers. Therefore, we have updated the installation instructions and scripts.
The updated installation instructions are available at:

18.5 SP1:
18.5 SP2:
18.5 SP3:
18.5 SP4:
19.0 GA:
19.0 SP1:
19.0 SP2:
19.0 SP3:
19.0 SP4:

Check your Teamwork Cloud installation for the incorrect permission and fix it using the following instructions.
There are two places where the incorrect permissions can be found if the old installation scripts were used.
1. The file /etc/environment.
a. How to check for the problem?
Execute the command
stat /etc/environment
If the problem exists, the result access permission will be shown like the following.
Access: (0777/-rwxrwxrwx)
b. How to fix the problem?
Execute the following command to change the permission to 644.
chmod 644 /etc/environment

2. The folder /home/twcloud
This is a home folder of the user, twcloud, created from installation helper script.
a. How to check for the problem
Execute the command
stat /home/twcloud
If the problem exists, the result access permission will be shown like the following.
Access: (0777/drwxrwxrwx)
b. How to fix the problem?
We recommend to revoke write and execute permission from group (g) and any other user (o).
Execute the following command to do so.
chmod -R g-wx,o-wx /home/twcloud

Before downloading the vulnerability checking and fixing script (vulnerability-check_20201223-2.zip), you need to log on first.
vulnerability-check_20201223-2.zip


Thank you to @SickCodes https://twitter.com/sickcodes for identifying this issue and reporting the vulnerability (CVE-2020-25507) through our Responsible Disclosure Program. On behalf of NoMagic & 3DS, we acknowledge the value of such Ethical sharing and thank Sick Codes for helping us to mitigate this finding.
You do not have the required permissions to view the files attached to this post.
ping20
Site Admin
Site Admin
 
Posts: 42
Posts Rating:14
Joined: Fri Dec 04, 2009 10:52 am
Full name: Koramit C.

Return to Installing and running

Who is online

Users browsing this forum: No registered users and 0 guests

cron