[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: chown: race condition with --recursive -L
From: |
Michael Orlitzky |
Subject: |
Re: chown: race condition with --recursive -L |
Date: |
Wed, 20 Dec 2017 19:50:09 -0500 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 |
On 12/20/2017 07:19 PM, Bernhard Voelker wrote:
>>
>> But what to do about it? I'm not sure... would doing the traversal
>> depth-first with respect to realpath help?
>
> Doesn't the same problem exist in the other direction as well?
> I mean if you change the ownership of a directory hierarchy from
> user A to user B, then both A and B could try to place malicious
> symlinks during the processing. That means depth-first minimizes
> the problem regarding the receiving user B but may widen the race
> window for user A.
Yes, but as you mention below, the --from option can be used to prevent
a non-root "source user" from being naughty.
> The safest way is to add the --from option in order to ensure (with
> the most tiny race window) that still user A is the owner:
>
> $ sudo chown -v --from=A B file
> ownership of 'file' retained as A
Indeed, but that only limits what the "source user" can do. This
particular race condition is a "destination user" attack. For example,
--from=root isn't going to prevent me from stealing /etc/passwd with a
symlink to it.