[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v3 2/2] doc: warn about following symlinks recursively in cho
Re: [PATCH v3 2/2] doc: warn about following symlinks recursively in chown/chgrp
Mon, 8 Jan 2018 08:33:02 +0100
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2
On 01/04/2018 05:38 PM, Michael Orlitzky wrote:
@@ -1427,6 +1427,13 @@ a command line argument is a symbolic link to a
directory, traverse it.
@cindex symbolic link to directory, traverse each that is encountered
In a recursive traversal, traverse every symbolic link to a directory
that is encountered.
+This option creates a security risk. In the presence of symlinks, the
+traversal is not guaranteed to be performed depth-first. As a result,
+there is a race condition: an attacker may be able to introduce a
+symlink at a point in the traversal that has yet to be reached. When
+it is reached, the operation will be performed on the target of that
+symlink, possibly allowing the attacker to escalate his privileges.
I'm not 100% happy with it yet.
* the patch adds the above to the macro choptL which is also used in
node chcon. Do you see the danger for chcon(1), too?
* IMO we should avoid mentioning internal processing strategies like
"depth-first" - even guaranteeing depth-that would not avoid this
issue: there is no reason to trust FROM-USER more than NEW-USER.
Furthermore, not only these 2 users may be potential attackers in
this scenario, but also others, depending on the mode bits of the
involved files and directories, ACLs etc.
What about the attached?
Thanks & have a nice day,
Description: Text Data
Re: [PATCH 2/2] doc: warn about following symlinks recursively in chown/chgrp, Michael Orlitzky, 2018/01/03