--- Begin Message ---
Subject: |
chmod: race condition |
Date: |
Sat, 16 Aug 2014 19:44:47 +0200 |
User-agent: |
Mutt/1.5.22 (2013-10-16) |
Hi,
chmod is vulnerable to a TOCTTOU (time of check to time of use) race
condition. Tested this on an OpenBSD system. For people unfamiliar
with OpenBSD, /etc/master.passwd basically equals /etc/shadow:
# chmod --version | head -n 1
chmod (GNU coreutils) 8.23
# ls -l /etc/master.passwd
-rw------- 1 root wheel 4244 Jul 23 21:14 /etc/master.passwd
# chmod -R g+w /usr/src
<second console interferes here>
# ls -l /etc/master.passwd
-rw-rw-r-- 1 root wheel 4244 Jul 23 21:14 /etc/master.passwd
$ rm /usr/src/Makefile
$ ln -s /etc/master.passwd /usr/src/Makefile
For the second console, the user belonged to the same group as
/usr/src (wsrc in this example).
The second console is able to modify Makefile because the directory
/usr/src was already made group-writable.
The race happens in src/chmod.c, around function process_file. Before
it gets called, fts_read() retrieved information about the _file_
Makefile, i.e. before the second console removed it.
Then the file gets replaced by a symlink, pointing to a file we want
to get modified. Now chmodat() resolves the path again and actually
evaluates the _symlink_. The destination file /etc/master.passwd can
be happily parsed by the attacker now.
I won't supply a patch now, as I remember that GNU is a bit picky about
accepting patches from everyone. But I will recommend to look into
the use of fchmodat() instead, supplying the argument
AT_SYMLINK_NOFOLLOW. We discuss this solution at OpenBSD currently.
Tobias
--- End Message ---
--- Begin Message ---
Subject: |
Re: bug#11108: [PATCH] chmod: fix symlink race condition |
Date: |
Wed, 20 Mar 2024 19:01:22 +0000 |
User-agent: |
Mozilla Thunderbird |
On 28/03/2012 21:28, Paul Eggert wrote:
On 03/28/2012 01:13 PM, Jim Meyering wrote:
$ ./chmod u+w f
./chmod: changing permissions of 'f': Operation not supported
Yeouch. I undid the change for now.
Hmm, why did "make check" work for me?
I'll have to investigate later, alas.
Patch for this pushed at:
https://git.sv.gnu.org/cgit/coreutils.git/commit/?id=v9.4-163-g425b8a2f5
Marking this as done.
cheers,
Pádraig.
--- End Message ---