topic Re: [file PIPE] - how to secure? in New SAS User

[file PIPE] - how to secure?

k4minou — Tue, 09 Jul 2019 08:09:43 GMT

Hi,

I am wondering if there is a way to secure the file piping?

/* for example.. */
/* we scan the disk F with all its (sub)contents */
filename
	&fileDesc. pipe
	"@echo off & for /f ""delims="" %a in ('dir F: /s /b') do echo %~fa %~ta %~za"
	lrecl=32767;
%diskScan(&fileDesc., diskName = F);

/* now we have the full pathname to delete files, let's say a directory... */
filename
	&fileDesc. pipe
	"@echo off & rd F:\someDir2Remove /S /Q"
	lrecl=32767;
%diskScan(&fileDesc., diskName = F);

the macro %diskScan is a simple macro reading the &fileDesc. with few regex

As you can see, we can inject in the pipe some command that could be a serious problem.

Moreover, the other point is after the full scan, we can see the file that we are not supposed to see

So, is there a way to secure it (without disabling the pipe) ?

Thank you in advance for your reply/help

😃

Re: [file PIPE] - how to secure?

andreas_lds — Mon, 08 Jul 2019 11:05:45 GMT

If the user has the file-system-rights to delete the file, securing pipe would be of no use, because he/she could just use the fdelete function.

Re: [file PIPE] - how to secure?

AngusLooney — Mon, 08 Jul 2019 11:25:15 GMT

file pipe can be disabled entirely using the -noxcmd start up option, in facts, that's the default in most configurations. It's a difficult topic, XCMDs bring very significant and powerful capabilities, but Spiderman allies (great power, great responsibilities).

You can basically do whatever your user account is allowed to do, and if that means file deleting, you can.

So, it throws a focus on to the SAS environment being properly configured and setup, that end users DO NOT have permissions to write and delete inside the SAS configuration directory, etc.

Perhaps the greatest risk is that mistakes can happen, a bit of code to "delete files" is fine when you use it as intended on "your" files, but the day you pass it a blank "directory" value, it ends up working on a directory you didn't intend, and merrily deletes everyone else's files.

Re: [file PIPE] - how to secure?

Kurt_Bremser — Mon, 08 Jul 2019 11:56:42 GMT

If you do not want that users have access to certain files, you need to properly set permissions on the operating system level. As long as users have a system account, they can use that outside of SAS to wreck your day (if you are the system admin, and were sloppy).

Re: [file PIPE] - how to secure?

k4minou — Tue, 09 Jul 2019 08:08:28 GMT

Thank you all for your kind replies 😃

I was not clear sorry ; I am only a regular user, I am not an administrator and have thus no actions on the server in terms of settings.

The current environnement :

• OS = WIN (X64_SRV12)
• SAS = 9.04.01M3P062415

Via Windows Explorer (even via dos command), the differents properties level are good - I can only access, read or write the files/directories that I am supposed to.

Same for SAS Guide Explorer, the partitioning of the differents files are good, I can only see/manipulate what I am supposed to see/manipulate

And the problem occurs with the piping... I can read full path filename then with a CP command, I can grab everything I want, I can even delete and all of this via piping command injection.

I have to report this problem to the administrators, but before to do it, I am here to know if there is any way to secure without disabling the piping (because I need the piping...)

Why I need it ? Because I want to dynamically mount a network disk that is not mounted by default, to work on it (maybe there is a specific function/command on SAS?)

I do it with these instructions

filename
	&fileDesc. pipe
	"@echo off & NET USE T: /DELETE /Y & NET USE T: \\XXXX\ZZZ"
	lrecl=32767;
%diskScan(&fileDesc., diskName = T);

Thank you again in any case ^^

o( ^ ^ )o Cheers!!! o( ^ ^ )o

Re: [file PIPE] - how to secure?

k4minou — Tue, 09 Jul 2019 08:17:27 GMT

The fdelete is only usefull if we know the full path, by default everything is partitionned here and each group of user can see the files they are supposed to see.

If I can see C:\Dir\File2Delete.txt then ofc I dont need to use weird way to delete it.

The main problem here is thanks to the piping, I can see the files I am not supposed to see, it also means that I know the full path name which can become the arg for my deletion (with fdelete or not) 😃

Re: [file PIPE] - how to secure?

k4minou — Tue, 09 Jul 2019 08:21:26 GMT

Completely agreed with you on this 😃

That's why I wanted to know if there is a way to secure it (without disabling it lol)

Re: [file PIPE] - how to secure?

AngusLooney — Tue, 09 Jul 2019 08:48:59 GMT

With Windows, you can usually just use the UNC, no need to mount it in order to be able to access it.

So, you can use "\\xxxx\zzz\thefile.txt" as the path to the file, in an import for instance.

Re: [file PIPE] - how to secure?

k4minou — Tue, 09 Jul 2019 09:15:08 GMT

Thank you, but...

As I got some “unc path not supported” as errors, I gave up and finaly used the simplest and also fastest way; to mount a virtual network disk which is only existed during the session SAS

But yes, I firstly tried with UNC directly 😃

Re: [file PIPE] - how to secure?

AngusLooney — Tue, 09 Jul 2019 09:20:21 GMT

Well, if it won't work implicitly, you've got no choice. Odd though.

Re: [file PIPE] - how to secure?

k4minou — Tue, 09 Jul 2019 09:56:29 GMT

lol yes, if the server works well it will be easier for the rest of the world ^^