coreutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: chown: race condition with --recursive -L


From: Michael Orlitzky
Subject: Re: chown: race condition with --recursive -L
Date: Wed, 20 Dec 2017 19:50:09 -0500
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0

On 12/20/2017 07:19 PM, Bernhard Voelker wrote:
>>
>> But what to do about it? I'm not sure... would doing the traversal
>> depth-first with respect to realpath help?
> 
> Doesn't the same problem exist in the other direction as well?
> I mean if you change the ownership of a directory hierarchy from
> user A to user B, then both A and B could try to place malicious
> symlinks during the processing.  That means depth-first minimizes
> the problem regarding the receiving user B but may widen the race
> window for user A. 

Yes, but as you mention below, the --from option can be used to prevent
a non-root "source user" from being naughty.


> The safest way is to add the --from option in order to ensure (with
> the most tiny race window) that still user A is the owner:
> 
>    $ sudo chown -v --from=A B file
>    ownership of 'file' retained as A

Indeed, but that only limits what the "source user" can do. This
particular race condition is a "destination user" attack. For example,
--from=root isn't going to prevent me from stealing /etc/passwd with a
symlink to it.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]