GNU bug report logs -
#32772
chmod: use O_PATH to avoid TOCTOU bug
Previous Next
Reported by: Jeff Epler <jepler <at> gmail.com>
Date: Wed, 19 Sep 2018 15:05:02 UTC
Severity: wishlist
Tags: patch
Merged with 11108,
18280
Done: Pádraig Brady <P <at> draigBrady.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 32772 in the body.
You can then email your comments to 32772 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-coreutils <at> gnu.org:
bug#32772; Package
coreutils.
(Wed, 19 Sep 2018 15:05:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Jeff Epler <jepler <at> gmail.com>:
New bug report received and forwarded. Copy sent to
bug-coreutils <at> gnu.org.
(Wed, 19 Sep 2018 15:05:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
When a directory is replaced with a symlink at a critical moment, `chmod`
will perform the unintended action of changing the mode of the linked-to
file or directory. I tested in coreutils 8.26 on debian stretch, but
believe that the current version 8.30 and the development version are
vulnerable.
Basically, when chmodat is used here
http://git.savannah.gnu.org/cgit/coreutils.git/tree/src/chmod.c?id=694d10b71e418ef4ea68847185b73544fe03eae2#n273
it will dereference the symlink. Changing to lchmodat should resolve the
problem, except that on GNU/Linux, it appears this works by passing
AT_SYMLINK_NOFOLLOW to fchmodat, but that flag is noted as "not currently
implemented" in the local man page ("release 4.10 of the Linux man-pages
project"). Consequently, I'm not even sure there is a correct fix
available on this common platform.
Here are my steps to reproduce, which involve using gdb to pause the
execution of chmod while the substitution is made, so that the window of
opportunity is made as large as possible. I have followed the steps
manually several times, so I hope they are correct and don't have any
transcription errors.
### Note the ironic unsafe use of /tmp
$ umask 077
$ mkdir -p /tmp/a/b/c; touch /tmp/a/b/c/d; touch /tmp/donttouchthis
### /tmp/donttouchthis is mode 0600 here
$ ls -l /tmp/donttouchthis
$ gdb --args chmod -R u=u /tmp/a
(gdb) b fchmodat
(gdb) run
Breakpoint 1, fchmodat (fd=-100, file=0x5555557640f0 "/tmp/a", mode=493,
(gdb) condition 1 !strcmp(file, "c")
(gdb) continue
Breakpoint 1, fchmodat (fd=5, file=0x55555576d6f8 "c", mode=493, flag=0)
(gdb) shell cd /tmp/a/b && mv c noc && ln -s /tmp/donttouchthis c
(gdb) continue
/bin/chmod: cannot read directory '/tmp/a/b/c': Not a directory
[Inferior 1 (process 13718) exited with code 01]
(gdb) shell ls -l /tmp/donttouchthis
### donttouchthis is mode 0700 here, the old mode of /tmp/a/b/c!
Note how the mode of /tmp/donttouchthis has been changed from 0600 to 0700,
because it got the mode of the directory '/tmp/a/b/c'.
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#32772; Package
coreutils.
(Wed, 19 Sep 2018 19:58:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 32772 <at> debbugs.gnu.org (full text, mbox):
Jeff Epler wrote:
> Changing to lchmodat should resolve the problem
No, that would just introduce the opposite bug: chmod is supposed to follow a
symlink, and using lchmod would let an attacker provoke a race that would cause
chmod to not follow a symlink that it should.
A better way to fix this problem on GNU/Linux is to use O_PATH, not lchmod. I
don't know of any way to fix it on other platforms that lack O_PATH.
Information forwarded
to
bug-coreutils <at> gnu.org:
bug#32772; Package
coreutils.
(Thu, 20 Sep 2018 00:49:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 32772 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Thanks for the correction, I should have not suggested a fix off the top of
my head.
On Wed, Sep 19, 2018 at 2:57 PM Paul Eggert <eggert <at> cs.ucla.edu> wrote:
> Jeff Epler wrote:
> > Changing to lchmodat should resolve the problem
>
> No, that would just introduce the opposite bug: chmod is supposed to
> follow a
> symlink, and using lchmod would let an attacker provoke a race that would
> cause
> chmod to not follow a symlink that it should.
>
> A better way to fix this problem on GNU/Linux is to use O_PATH, not
> lchmod. I
> don't know of any way to fix it on other platforms that lack O_PATH.
>
[Message part 2 (text/html, inline)]
Severity set to 'wishlist' from 'normal'
Request was from
Assaf Gordon <assafgordon <at> gmail.com>
to
control <at> debbugs.gnu.org.
(Tue, 30 Oct 2018 03:57:01 GMT)
Full text and
rfc822 format available.
Changed bug title to 'chmod: use O_PATH to avoid TOCTOU bug' from 'TOCTOU bug in chmod'
Request was from
Assaf Gordon <assafgordon <at> gmail.com>
to
control <at> debbugs.gnu.org.
(Tue, 30 Oct 2018 03:57:01 GMT)
Full text and
rfc822 format available.
Forcibly Merged 11108 18280 32772.
Request was from
Assaf Gordon <assafgordon <at> gmail.com>
to
control <at> debbugs.gnu.org.
(Tue, 30 Oct 2018 04:24:01 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 18 Apr 2024 11:25:19 GMT)
Full text and
rfc822 format available.
This bug report was last modified 99 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.