bug-coreutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

security: install 5.93/5.97 ignores --mode on existing dirs if no leadin


From: Marc MERLIN
Subject: security: install 5.93/5.97 ignores --mode on existing dirs if no leading 4th byte
Date: Tue, 1 May 2007 11:17:45 -0700
User-agent: Mutt/1.5.13 (2006-08-11)

Expected behaviour with install 5.2.1:
magic:~# mkdir /tmp/conf
magic:~# chmod 1234 /tmp/conf
magic:~# ls -ld /tmp/conf
d-w--wxr-T  2 root root 4096 2007-05-01 11:00 /tmp/conf
magic:~# install -d -o root -g root  -m 0777 /tmp/conf
magic:~# ls -ld /tmp/conf
drwxrwxrwx  2 root root 4096 2007-05-01 11:00 /tmp/conf
magic:~# install -d -o root -g root  -m 751 /tmp/conf
magic:~# ls -ld /tmp/conf
drwxr-x--x  2 root root 4096 2007-05-01 11:00 /tmp/conf

Incorrect/Insecure behaviour with install 5.93 or 5.97:
address@hidden:~# chmod 1234 /tmp/conf
address@hidden:~# l -d /tmp/conf
d-w--wxr-T 2 nobody nobody 4096 May  1 10:38 /tmp/conf/
address@hidden:~# install -d -o nobody -g nobody -m 777 /tmp/conf
address@hidden:~# l -d /tmp/conf
d-w--wxr-T 2 nobody nobody 4096 May  1 10:38 /tmp/conf/
address@hidden:~# install -d -o nobody -g nobody -m 2777 /tmp/conf
address@hidden:~# l -d /tmp/conf
drwxrwsrwx 2 nobody nobody 4096 May  1 10:38 /tmp/conf/
address@hidden:~# install -d -o nobody -g nobody -m 2555 /tmp/conf
address@hidden:~# l -d /tmp/conf
dr-xr-sr-x 2 nobody nobody 4096 May  1 10:38 /tmp/conf/
address@hidden:~# install -d -o nobody -g nobody -m 0755 /tmp/conf
address@hidden:~# l -d /tmp/conf
dr-xr-sr-x 2 nobody nobody 4096 May  1 10:38 /tmp/conf/
address@hidden:~# install -d -o nobody -g nobody -m 1755 /tmp/conf
address@hidden:~# l -d /tmp/conf
drwxr-xr-t 2 nobody nobody 4096 May  1 10:38 /tmp/conf/

As you can see, the newer install refuses to reset permissions unless
there is some leading byte.

I haven't spent the time scanning open source software that uses install on
critical directories (spool, cron, etc...), but I'm sure one could find a
place where install not properly narrowing perms could lead to some local
exploit.

Anyway, whether that's the case or not, I hope you can get install fixed to
work like earlier versions, and as expected by scripts.

Thanks
Marc
-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/  




reply via email to

[Prev in Thread] Current Thread [Next in Thread]