[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 2/2] doc: warn about following symlinks recursively in cho

From: Bernhard Voelker
Subject: Re: [PATCH v3 2/2] doc: warn about following symlinks recursively in chown/chgrp
Date: Mon, 8 Jan 2018 08:33:02 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2

On 01/04/2018 05:38 PM, Michael Orlitzky wrote:
--- a/doc/coreutils.texi
+++ b/doc/coreutils.texi
@@ -1427,6 +1427,13 @@ a command line argument is a symbolic link to a 
directory, traverse it.
  @cindex symbolic link to directory, traverse each that is encountered
  In a recursive traversal, traverse every symbolic link to a directory
  that is encountered.
+This option creates a security risk. In the presence of symlinks, the
+traversal is not guaranteed to be performed depth-first. As a result,
+there is a race condition: an attacker may be able to introduce a
+symlink at a point in the traversal that has yet to be reached. When
+it is reached, the operation will be performed on the target of that
+symlink, possibly allowing the attacker to escalate his privileges.
  @end macro

I'm not 100% happy with it yet.

* the patch adds the above to the macro choptL which is also used in
node chcon.  Do you see the danger for chcon(1), too?

* IMO we should avoid mentioning internal processing strategies like
"depth-first" - even guaranteeing depth-that would not avoid this
issue: there is no reason to trust FROM-USER more than NEW-USER.
Furthermore, not only these 2 users may be potential attackers in
this scenario, but also others, depending on the mode bits of the
involved files and directories, ACLs etc.

What about the attached?

Thanks & have a nice day,

Attachment: 0001-doc-warn-about-following-symlinks-recursively-in-cho.patch
Description: Text Data

reply via email to

[Prev in Thread] Current Thread [Next in Thread]