bug-fileutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

rm - recursive directory removal race condition


From: Wojciech Purczynski
Subject: rm - recursive directory removal race condition
Date: Thu, 7 Mar 2002 22:43:35 +0100 (CET)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Name:           fileutils
Version:        4.1 stable and 4.1.6 development version
Author:         Wojciech Purczynski <address@hidden>
Date:           March 7, 2002

Issue:
- ------

Race condition in rm utility may cause root user to delete the whole 
filesystem.


Description:
- ------------

The GNU File Utilities are the basic file-manipulation utilities of the
GNU operating system. rm utility is designed to remove files and 
directories from the file system.


Details:
- --------

An insecure chdir("..") operation is done after removing content of a
subdirectory in order to get back to the upper directory during recursive
removal of directory tree.

Example of 'rm -fr /tmp/a' removing '/tmp/a/b/c' directory tree:

(strace output simplified for better readability)

chdir("/tmp/a")                         = 0
chdir("b")                              = 0
chdir("c")                              = 0
chdir("..")                             = 0
rmdir("c")                              = 0
chdir("..")                             = 0
rmdir("b")                              = 0
fchdir(3)                               = 0
rmdir("/tmp/a")                         = 0

After rm current directory is changed to /tmp/a/b/c a race condition
occurs. If we then move /tmp/a/b/c directory to the /tmp/c two subsequent
chdir("..") operations will move to the root directory / and rm will start
removing files from the whole file systems if it has enough privileges
(i.e. if called by root user). Other scenarios are possible depending on 
how we modify directory structure that is under removal.

Timeframe of this race condition depends on how complicated directory
structure is.


Impact:
- -------

Unprivileged user may launch an daemon program that will detect the
removal operation of user's directories and exploit race condition leading
to Denial of Service.


Fix:
- ----

Before going down into subdirectory, rm should store device and inode
numbers of current directory. After chdir("..") operation the stored
device and inode number should be verified against device and inode
numbers of directory it has changed to.


Wojciech Purczynski
iSEC Security Research
http://isec.pl/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8h98jC+8U3Z5wpu4RAtgQAJ417awb4woSYyJJldFqL4WXKzn1SACcDPv8
f0IwtZGX2HQKAoT9RwYqZEk=
=wDqS
-----END PGP SIGNATURE-----





reply via email to

[Prev in Thread] Current Thread [Next in Thread]