[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: chown: race condition with --recursive -L
|
From: |
Bernhard Voelker |
|
Subject: |
Re: chown: race condition with --recursive -L |
|
Date: |
Thu, 28 Dec 2017 19:01:04 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 |
On 12/28/2017 04:36 PM, Michael Orlitzky wrote:
Does anyone mind if I reserve a CVE for this?
Of course not - but I doubt that we can do much about it:
the chown(1) binary is just a wrapper around chown(2)/lchown(2),
so whatever (other) utility uses these system calls in a recursive
way will be prone to that trap.
I think the best way to handle this is to keep teaching sysadmins
to avoid the --dereference option together with -R; usually
"chown -R" with the default -P is probably good enough.
It would probably be good to add a clarifying sentence to the Texinfo
documentation. Would you like to propose a sentence?
Have a nice day,
Berny