coreutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: chown: race condition with --recursive -L


From: Bernhard Voelker
Subject: Re: chown: race condition with --recursive -L
Date: Thu, 21 Dec 2017 01:19:20 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0

On 12/20/2017 10:43 PM, Michael Orlitzky wrote:
When calling chown recursively, there is an "obvious" race condition
that is handled correctly:

   $ sudo mkdir -p foo/bar
   $ sudo chown --verbose --recursive mjo foo
   changed ownership of 'foo/bar' from root to mjo
   changed ownership of 'foo' from root to mjo

If the order was switched, there would be a period of time where mjo
could do bad things in "foo" before chown operated on its contents. But
so far so good: the order above is safe, and "chown -R" won't follow
symlinks by default.

Can we screw things up by dereferencing symlinks? I think so.

[...]

The depth-first traversal follows the symlink and changes ownership of
foo/quux (which points to bar) before it changes ownership of bar/baz.

Note that the "--dereference" flag implies the same problem. It forces
you to set either "-H" or "-L", and in that context, choosing "-H" won't
prevent the link itself from being dereferenced (notabug 29788).

But what to do about it? I'm not sure... would doing the traversal
depth-first with respect to realpath help?

Doesn't the same problem exist in the other direction as well?
I mean if you change the ownership of a directory hierarchy from
user A to user B, then both A and B could try to place malicious
symlinks during the processing.  That means depth-first minimizes
the problem regarding the receiving user B but may widen the race
window for user A.

> I
> think you're asking for trouble when you follow links OR when you
> operate recursively,

+1

> but "-R -L" is POSIX, so I guess we make the best
> of it.

The safest way is to add the --from option in order to ensure (with
the most tiny race window) that still user A is the owner:

  $ sudo chown -v --from=A B file
  ownership of 'file' retained as A

Have a nice day,
Berny



reply via email to

[Prev in Thread] Current Thread [Next in Thread]