bug#18280: closed (chmod: fix symlink race condition)

[GNU bug Tracking System]

Your message dated Wed, 20 Mar 2024 19:01:22 +0000
with message-id <72010fe2-c127-6462-d8b7-f754a5d87ffa@draigBrady.com>
and subject line Re: bug#11108: [PATCH] chmod: fix symlink race condition
has caused the debbugs.gnu.org bug report #11108,
regarding chmod: fix symlink race condition
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs@gnu.org.)


-- 
11108: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=11108
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems
> --- Begin Message ---
>
>
>
> Subject: 
>
> chmod: race condition
>
>
>
>
> Date: 
>
> Sat, 16 Aug 2014 19:44:47 +0200
>
>
>
>
> User-agent: 
>
> Mutt/1.5.22 (2013-10-16)
>
>
>
>
> Hi,
>
> chmod is vulnerable to a TOCTTOU (time of check to time of use) race
> condition. Tested this on an OpenBSD system.  For people unfamiliar
> with OpenBSD, /etc/master.passwd basically equals /etc/shadow:
>
> # chmod --version | head -n 1
> chmod (GNU coreutils) 8.23
> # ls -l /etc/master.passwd
> -rw-------  1 root  wheel  4244 Jul 23 21:14 /etc/master.passwd
> # chmod -R g+w /usr/src
> <second console interferes here>
> # ls -l /etc/master.passwd
> -rw-rw-r--  1 root  wheel  4244 Jul 23 21:14 /etc/master.passwd
>
> $ rm /usr/src/Makefile
> $ ln -s /etc/master.passwd /usr/src/Makefile
>
> For the second console, the user belonged to the same group as
> /usr/src (wsrc in this example).
>
> The second console is able to modify Makefile because the directory
> /usr/src was already made group-writable.
>
> The race happens in src/chmod.c, around function process_file.  Before
> it gets called, fts_read() retrieved information about the _file_
> Makefile, i.e. before the second console removed it.
>
> Then the file gets replaced by a symlink, pointing to a file we want
> to get modified.  Now chmodat() resolves the path again and actually
> evaluates the _symlink_.  The destination file /etc/master.passwd can
> be happily parsed by the attacker now.
>
>
> I won't supply a patch now, as I remember that GNU is a bit picky about
> accepting patches from everyone.  But I will recommend to look into
> the use of fchmodat() instead, supplying the argument
> AT_SYMLINK_NOFOLLOW.  We discuss this solution at OpenBSD currently.
>
>
> Tobias
>
>
>
> --- End Message ---
> --- Begin Message ---
>
>
>
> Subject: 
>
> Re: bug#11108: [PATCH] chmod: fix symlink race condition
>
>
>
>
> Date: 
>
> Wed, 20 Mar 2024 19:01:22 +0000
>
>
>
>
> User-agent: 
>
> Mozilla Thunderbird
>
>
>
>
> On 28/03/2012 21:28, Paul Eggert wrote:
> > On 03/28/2012 01:13 PM, Jim Meyering wrote:
> > >      $ ./chmod u+w f
> > >      ./chmod: changing permissions of 'f': Operation not supported
> >
> > Yeouch.  I undid the change for now.
> > Hmm, why did "make check" work for me?
> > I'll have to investigate later, alas.
>
> Patch for this pushed at:
> https://git.sv.gnu.org/cgit/coreutils.git/commit/?id=v9.4-163-g425b8a2f5
>
> Marking this as done.
>
> cheers,
> Pádraig.
>
>
> --- End Message ---