-
Notifications
You must be signed in to change notification settings - Fork 904
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure that only Administrators are able to modify files that are stored within the ChocolateyHttpCache folder #3281
Comments
AdmiringWorm
added a commit
to AdmiringWorm/choco
that referenced
this issue
Jul 25, 2023
These changes introduces a new validation check to ensure that the system cache folder that is used for storing NuGet responses have been properly locked down to administrators. When the directory exists, and allows modifications or creations of files by normal user this will output a validation warning about steps that can be taken to lock down the directory. When the directory does not exist, this same validation check ensure that the directory is created while only allowing Administrators to modify, create or delete anything in the folder.
10 tasks
gep13
pushed a commit
to AdmiringWorm/choco
that referenced
this issue
Jul 25, 2023
These changes introduces a new validation check to ensure that the system cache folder that is used for storing NuGet responses have been properly locked down to administrators. When the directory exists, and allows modifications or creations of files by normal user this will output a validation warning about steps that can be taken to lock down the directory. When the directory does not exist, this same validation check ensure that the directory is created while only allowing Administrators to modify, create or delete anything in the folder.
gep13
added a commit
that referenced
this issue
Jul 25, 2023
(#3281) Add validation for cache folder permissions
gep13
changed the title
Protect System cache folder to only allow Administrators to modify
Ensure that only Administrators are able to modify files that are stored within the ChocolateyHttpCache folder
Jul 26, 2023
gep13
added a commit
that referenced
this issue
Jul 26, 2023
* release/2.2.0: (21 commits) (doc) Update to indicate new package version used (maint) Add helper to split on max line lengths (#3281) Add validation for cache folder permissions (#3264) Update to latest Chocolatey.NuGet.Client (#3264) Ignore lock folders in cache directories (#3186) Remove easter egg (doc) Improve error message for defaultPushSource (tests) Clear HTTP Cache before getting packages (#3258) Expand logging for nuget resources errors (maint) Set file encoding to include BOM (#3237) Reduce number of queries for dependencies (#3231) Add tests to ensure package listing (maint) Remove unnecessary using statements (#3231) Don't refresh local package info during upgrade no-ops (build) Update to latest recipe package (doc) Minor corrections to wording (#3242) Add a script to run Authenticated tests (#3242) Attempt default credentials for sources (maint) Fix incorrect naming style uses (doc) Apply scripting best practices to output ...
🎉 This issue has been resolved in version 2.2.0 🎉 The release is available on: Your GitReleaseManager bot 📦🚀 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Checklist
Is Your Feature Request Related To A Problem? Please describe.
When we make any calls to any NuGet endpoint we use cached files that are located in the
ProgramData\ChocolateyHttpCache
folder when running in an elevated context.After data have been acquired from these endpoints we save any JSON or XML data returned from the endpoints in this cache folder and reuse this same information in a certain timeframe.
While these files that are created is locked down to administrators to prevent modifications by non-admins, people are still able to create new folders and files in the directory that could potentially be used as an attack vector when we read the cached files.
Describe The Solution. Why is it needed?
We should lock down the entire caching folder that is used in elevated context to only allow writing, creating and modifications being done by an Administrator. Normal users should only be able to view the files, but not be able to modify or create anything.
Additional Context
No response
Related Issues
No response
The text was updated successfully, but these errors were encountered: