GNU bug report logs - #32772
chmod: use O_PATH to avoid TOCTOU bug

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: coreutils; Severity: wishlist; Reported by: Jeff Epler <jepler@HIDDEN>; Keywords: patch; merged with #11108, #18280; dated Wed, 19 Sep 2018 15:05:02 UTC; Maintainer for coreutils is bug-coreutils@HIDDEN.
Forcibly Merged 11108 18280 32772. Request was from Assaf Gordon <assafgordon@HIDDEN> to control <at> debbugs.gnu.org. Full text available.
Changed bug title to 'chmod: use O_PATH to avoid TOCTOU bug' from 'TOCTOU bug in chmod' Request was from Assaf Gordon <assafgordon@HIDDEN> to control <at> debbugs.gnu.org. Full text available.
Severity set to 'wishlist' from 'normal' Request was from Assaf Gordon <assafgordon@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 32772 <at> debbugs.gnu.org:


Received: (at 32772) by debbugs.gnu.org; 20 Sep 2018 00:48:17 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 19 20:48:17 2018
Received: from localhost ([127.0.0.1]:46187 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1g2n8j-0007Zv-5D
	for submit <at> debbugs.gnu.org; Wed, 19 Sep 2018 20:48:17 -0400
Received: from mail-oi0-f44.google.com ([209.85.218.44]:35279)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <jepler@HIDDEN>) id 1g2n8h-0007Zf-8a
 for 32772 <at> debbugs.gnu.org; Wed, 19 Sep 2018 20:48:15 -0400
Received: by mail-oi0-f44.google.com with SMTP id m11-v6so6818934oic.2
 for <32772 <at> debbugs.gnu.org>; Wed, 19 Sep 2018 17:48:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=thdIyxB1QcMCQ0DXYLXDVTFa6KD1778BQT0izxVtV7s=;
 b=X6I3x9KLgMR38RoMXO8XFkgb2vLuixIjVBp693+HI3UJ2/l+rnUwUWyb0c1a36OYx9
 kF+JVgB6MxSpM//Xk92yJydwuAV/M6elvsk6NCp9/GCvHji0W8qWF61O0aevYqaSYF5J
 I/bOOUblqeLMlc4Anu202dG4idcGse8Hw5ihanOHMzoGBF4fF7LoQhJnZ7IhYFAUfuSF
 Vq0XV2YIOYuWidGWkMqEyYY+KUFkgQaTOyE0h7JpDPVbcYa0TuNuq4hC4qm/9XQ3Xl4i
 s+kUAf6ORVFk1A6LBwFmsVxEJ/tonJBR/FP/czUG7QnZ3RWBv1P2vpzQ2r0LZS1+0GPz
 PVlg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=thdIyxB1QcMCQ0DXYLXDVTFa6KD1778BQT0izxVtV7s=;
 b=PVwZ7qiRSQAoL/lu5dsRolppBaW0ifFvossOU3STMfcpqdI97Ugeo1wOVd+EfxNOLk
 R/3M9Lyf3s/BoSQoBIunBVW2V0YR/zYNantVQmxcyKDHnllYD5OhPA4m9k5m5Dtk/Vmu
 HSbRw07V9h8YTj3rWQfjDX8q2MNo/8pLTNquZCCsi/iYSZwaz1GpAeXM6ypKXtu9WAkz
 M6WZIciC61DjwdhrqxdDlak0AZ+Uv4RAMG/ygVYV0GW1ACIGJoMkC/IJKt4RvmrtYraY
 IXITdPNze5WRaoyLdCNbq9Zx7NoAoI1arsFQ0NgeFy0Mc1tfSXvQEWntRv7J1fEr1bij
 6ZlA==
X-Gm-Message-State: APzg51CyG7y5SIP5Rh7fjDVROcSbfKiuul9/Ws7pmojWm7Sjb6iZjHDz
 DC4e0jjXS6QcYWd91leOaufqUVfiZscTjGeZzJ0=
X-Google-Smtp-Source: ANB0VdbGmU34GSZm/ylCZsJfTjpoDcEHz5yZFpe1tQVM3kPSBXjJJk2f7IU8vJfZMzMMeGiZpksslfhLJkHOYKidUoY=
X-Received: by 2002:aca:50cf:: with SMTP id
 e198-v6mr122441oib.332.1537404489357; 
 Wed, 19 Sep 2018 17:48:09 -0700 (PDT)
MIME-Version: 1.0
References: <CAKoL9oSR1ZVcDv2z8RUhZge1guq8OvhrNzoVpNvMuzyB8p0sbw@HIDDEN>
 <5daa18d6-3640-1325-1da5-78bd9c90976a@HIDDEN>
In-Reply-To: <5daa18d6-3640-1325-1da5-78bd9c90976a@HIDDEN>
From: Jeff Epler <jepler@HIDDEN>
Date: Wed, 19 Sep 2018 19:47:57 -0500
Message-ID: <CAKoL9oR2x07+=j8-_j1RXGh0WP1h0ZtJW=_cUNKYk0JseLnE=Q@HIDDEN>
Subject: Re: bug#32772: TOCTOU bug in chmod
To: eggert@HIDDEN
Content-Type: multipart/alternative; boundary="00000000000076de55057642e08f"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 32772
Cc: 32772 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--00000000000076de55057642e08f
Content-Type: text/plain; charset="UTF-8"

Thanks for the correction, I should have not suggested a fix off the top of
my head.

On Wed, Sep 19, 2018 at 2:57 PM Paul Eggert <eggert@HIDDEN> wrote:

> Jeff Epler wrote:
> > Changing to lchmodat should resolve the problem
>
> No, that would just introduce the opposite bug: chmod is supposed to
> follow a
> symlink, and using lchmod would let an attacker provoke a race that would
> cause
> chmod to not follow a symlink that it should.
>
> A better way to fix this problem on GNU/Linux is to use O_PATH, not
> lchmod. I
> don't know of any way to fix it on other platforms that lack O_PATH.
>

--00000000000076de55057642e08f
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Thanks for the correction, I should have not suggested a f=
ix off the top of my head.<br></div><br><div class=3D"gmail_quote"><div dir=
=3D"ltr">On Wed, Sep 19, 2018 at 2:57 PM Paul Eggert &lt;<a href=3D"mailto:=
eggert@HIDDEN">eggert@HIDDEN</a>&gt; wrote:<br></div><blockquote =
class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid=
;padding-left:1ex">Jeff Epler wrote:<br>
&gt; Changing to lchmodat should resolve the problem<br>
<br>
No, that would just introduce the opposite bug: chmod is supposed to follow=
 a <br>
symlink, and using lchmod would let an attacker provoke a race that would c=
ause <br>
chmod to not follow a symlink that it should.<br>
<br>
A better way to fix this problem on GNU/Linux is to use O_PATH, not lchmod.=
 I <br>
don&#39;t know of any way to fix it on other platforms that lack O_PATH.<br=
>
</blockquote></div>

--00000000000076de55057642e08f--




Information forwarded to bug-coreutils@HIDDEN:
bug#32772; Package coreutils. Full text available.

Message received at 32772 <at> debbugs.gnu.org:


Received: (at 32772) by debbugs.gnu.org; 19 Sep 2018 19:57:07 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 19 15:57:07 2018
Received: from localhost ([127.0.0.1]:46035 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1g2iax-00065a-Hv
	for submit <at> debbugs.gnu.org; Wed, 19 Sep 2018 15:57:07 -0400
Received: from zimbra.cs.ucla.edu ([131.179.128.68]:45500)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eggert@HIDDEN>) id 1g2iaw-000654-5a
 for 32772 <at> debbugs.gnu.org; Wed, 19 Sep 2018 15:57:06 -0400
Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id 96D90160806;
 Wed, 19 Sep 2018 12:57:00 -0700 (PDT)
Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032)
 with ESMTP id 6F6oP14HzHLk; Wed, 19 Sep 2018 12:56:59 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
 by zimbra.cs.ucla.edu (Postfix) with ESMTP id D89F916169D;
 Wed, 19 Sep 2018 12:56:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu
Received: from zimbra.cs.ucla.edu ([127.0.0.1])
 by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id 8xq1COl56qZX; Wed, 19 Sep 2018 12:56:59 -0700 (PDT)
Received: from [192.168.1.9] (cpe-23-242-74-103.socal.res.rr.com
 [23.242.74.103])
 by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id B6840160806;
 Wed, 19 Sep 2018 12:56:59 -0700 (PDT)
Subject: Re: bug#32772: TOCTOU bug in chmod
To: Jeff Epler <jepler@HIDDEN>, 32772 <at> debbugs.gnu.org
References: <CAKoL9oSR1ZVcDv2z8RUhZge1guq8OvhrNzoVpNvMuzyB8p0sbw@HIDDEN>
From: Paul Eggert <eggert@HIDDEN>
Organization: UCLA Computer Science Department
Message-ID: <5daa18d6-3640-1325-1da5-78bd9c90976a@HIDDEN>
Date: Wed, 19 Sep 2018 12:56:59 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CAKoL9oSR1ZVcDv2z8RUhZge1guq8OvhrNzoVpNvMuzyB8p0sbw@HIDDEN>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 32772
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Jeff Epler wrote:
> Changing to lchmodat should resolve the problem

No, that would just introduce the opposite bug: chmod is supposed to follow a 
symlink, and using lchmod would let an attacker provoke a race that would cause 
chmod to not follow a symlink that it should.

A better way to fix this problem on GNU/Linux is to use O_PATH, not lchmod. I 
don't know of any way to fix it on other platforms that lack O_PATH.




Information forwarded to bug-coreutils@HIDDEN:
bug#32772; Package coreutils. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 19 Sep 2018 15:04:30 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 19 11:04:30 2018
Received: from localhost ([127.0.0.1]:45864 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1g2e1k-0003uf-As
	for submit <at> debbugs.gnu.org; Wed, 19 Sep 2018 11:04:30 -0400
Received: from eggs.gnu.org ([208.118.235.92]:35827)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <jepler@HIDDEN>) id 1g2bvM-00088j-Ju
 for submit <at> debbugs.gnu.org; Wed, 19 Sep 2018 08:49:44 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <jepler@HIDDEN>) id 1g2bvF-0002Jx-Pd
 for submit <at> debbugs.gnu.org; Wed, 19 Sep 2018 08:49:38 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM,
 HTML_MESSAGE,T_DKIM_INVALID autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:55680)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <jepler@HIDDEN>) id 1g2bvF-0002Jp-M4
 for submit <at> debbugs.gnu.org; Wed, 19 Sep 2018 08:49:37 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:56787)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <jepler@HIDDEN>) id 1g2bvC-0002jd-PL
 for bug-coreutils@HIDDEN; Wed, 19 Sep 2018 08:49:37 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <jepler@HIDDEN>) id 1g2bvB-0002GF-Gx
 for bug-coreutils@HIDDEN; Wed, 19 Sep 2018 08:49:34 -0400
Received: from mail-oi0-x22d.google.com ([2607:f8b0:4003:c06::22d]:39390)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <jepler@HIDDEN>) id 1g2bvB-0002Ea-8A
 for bug-coreutils@HIDDEN; Wed, 19 Sep 2018 08:49:33 -0400
Received: by mail-oi0-x22d.google.com with SMTP id c190-v6so4940770oig.6
 for <bug-coreutils@HIDDEN>; Wed, 19 Sep 2018 05:49:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:from:date:message-id:subject:to;
 bh=dnzxmbHMec3Dyrr6dyOyPIvzRmfPEHmDKVA3CRJG9bo=;
 b=daYLwshfoQqy9iABlnQj+1uavSeqv6qnKkXSM+jI9U17s809u35/TFVNYdhgN4phzX
 PNOsFmhaemBi+BwwVBfNZ+g1TVi8oYEjms5u43/EcO/wuRv8gHV3ywo+ljvReD7dFcMb
 07VULJwBSHSUQ7QaWzpkKwNEIaTAePUosBxmt3f+jSN4/ovnnaa1hlKDB2Fu4z3D9QkL
 1nU67uT7SDtOAvU1aIqiEE3IvCoOfekBpnLbP1xab7wbu3mMZMQNayQyFgSZDNM1Z+ui
 1H0xYHtTqCOsWG/Rzz+LRVpXcodS9wfbLtWZK6vCTl+bI/gNZGU/+xYGz57Z+W872VXN
 Y45w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=dnzxmbHMec3Dyrr6dyOyPIvzRmfPEHmDKVA3CRJG9bo=;
 b=iVpPb1kNiDaVNxIYvkkBzzKGUc3NZ19MobkK7zl/mhyRO/xCFwC1iFzgb4GXtw6/xl
 qEMi52IU3HXEICWLaGxbbbwcReSJ52P4emoV1yQNziiD+9pUyfxWctArAGx1iiBC65cl
 hXmrQbadsjDsNo8HUau3iFe4D4fXrJE6ICQa7j+Gfds09rXdmDp4LfiwbkOKcXa+H2hb
 1KhZ6o5DSLwUphIpeYXEMiGK09aH23gzmyfs62MvSue8JmwqVObH+mV7e11si+s2C40s
 vC4x/0hys69xSV+Qr7P4CCTSVHHmGjIqiKVQxuFrYlw1DgzDQhQrD0e8e+vHELe7Fae1
 1IZQ==
X-Gm-Message-State: APzg51AqUK9/8gD1XRpo5sjj1Wo944AKIVrVBMPiXUV3qBGAb3GHg3T9
 Ah7kkISjukLbuORF7IwP1RSemRgOV1yb7sDxIR19aZgj
X-Google-Smtp-Source: ANB0VdZafAGYgr+sY9gBxtWuJywl11/9HkIvX1K4aIKyi+1xGeygV6pNXxWMrG3oLzJ9hx6pDkxH8+IZVELPvlhGrmA=
X-Received: by 2002:aca:3985:: with SMTP id
 g127-v6mr1455918oia.267.1537361371009; 
 Wed, 19 Sep 2018 05:49:31 -0700 (PDT)
MIME-Version: 1.0
From: Jeff Epler <jepler@HIDDEN>
Date: Wed, 19 Sep 2018 07:49:19 -0500
Message-ID: <CAKoL9oSR1ZVcDv2z8RUhZge1guq8OvhrNzoVpNvMuzyB8p0sbw@HIDDEN>
Subject: TOCTOU bug in chmod
To: bug-coreutils@HIDDEN
Content-Type: multipart/alternative; boundary="000000000000691605057638d62d"
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
 recognized.
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.0 (----)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Wed, 19 Sep 2018 11:04:27 -0400
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

--000000000000691605057638d62d
Content-Type: text/plain; charset="UTF-8"

When a directory is replaced with a symlink at a critical moment, `chmod`
will perform the unintended action of changing the mode of the linked-to
file or directory.  I tested in coreutils 8.26 on debian stretch, but
believe that the current version 8.30 and the development version are
vulnerable.

Basically, when chmodat is used here
http://git.savannah.gnu.org/cgit/coreutils.git/tree/src/chmod.c?id=694d10b71e418ef4ea68847185b73544fe03eae2#n273
it will dereference the symlink.  Changing to lchmodat should resolve the
problem, except that on GNU/Linux, it appears this works by passing
AT_SYMLINK_NOFOLLOW to fchmodat, but that flag is noted as "not currently
implemented" in the local man page ("release 4.10 of the Linux man-pages
project").  Consequently, I'm not even sure there is a correct fix
available on this common platform.

Here are my steps to reproduce, which involve using gdb to pause the
execution of chmod while the substitution is made, so that the window of
opportunity is made as large as possible.  I have followed the steps
manually several times, so I hope they are correct and don't have any
transcription errors.

### Note the ironic unsafe use of /tmp
$ umask 077
$ mkdir -p /tmp/a/b/c; touch /tmp/a/b/c/d; touch /tmp/donttouchthis
### /tmp/donttouchthis is mode 0600 here
$ ls -l /tmp/donttouchthis
$ gdb --args chmod -R u=u /tmp/a
(gdb) b fchmodat
(gdb) run
Breakpoint 1, fchmodat (fd=-100, file=0x5555557640f0 "/tmp/a", mode=493,
(gdb) condition 1 !strcmp(file, "c")
(gdb) continue
Breakpoint 1, fchmodat (fd=5, file=0x55555576d6f8 "c", mode=493, flag=0)
(gdb) shell cd /tmp/a/b && mv c noc && ln -s /tmp/donttouchthis c
(gdb) continue
/bin/chmod: cannot read directory '/tmp/a/b/c': Not a directory
[Inferior 1 (process 13718) exited with code 01]
(gdb) shell ls -l /tmp/donttouchthis
### donttouchthis is mode 0700 here, the old mode of /tmp/a/b/c!

Note how the mode of /tmp/donttouchthis has been changed from 0600 to 0700,
because it got the mode of the directory '/tmp/a/b/c'.

--000000000000691605057638d62d
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div>Wh=
en a directory is replaced with a symlink at a critical moment, `chmod` wil=
l perform the unintended action of changing the mode of the linked-to file =
or directory.=C2=A0 I tested in coreutils 8.26 on debian stretch, but belie=
ve that the current version 8.30 and the development version are vulnerable=
.</div><div><br></div><div>Basically, when chmodat is used here <a href=3D"=
http://git.savannah.gnu.org/cgit/coreutils.git/tree/src/chmod.c?id=3D694d10=
b71e418ef4ea68847185b73544fe03eae2#n273">http://git.savannah.gnu.org/cgit/c=
oreutils.git/tree/src/chmod.c?id=3D694d10b71e418ef4ea68847185b73544fe03eae2=
#n273</a> it will dereference the symlink.=C2=A0 Changing to lchmodat shoul=
d resolve the problem, except that on GNU/Linux, it appears this works by p=
assing AT_SYMLINK_NOFOLLOW to fchmodat, but that flag is noted as &quot;not=
 currently implemented&quot; in the local man page (&quot;release 4.10 of t=
he Linux man-pages project&quot;).=C2=A0 Consequently, I&#39;m not even sur=
e there is a correct fix available on this common platform.<br></div><div><=
br></div><div>Here are my steps to reproduce, which involve using gdb to pa=
use the execution of chmod while the substitution is made, so that the wind=
ow of opportunity is made as large as possible.=C2=A0 I have followed the s=
teps manually several times, so I hope they are correct and don&#39;t have =
any transcription errors.</div><div><br></div><div>### Note the ironic unsa=
fe use of /tmp<br>$ umask 077<br>$ mkdir -p /tmp/a/b/c; touch /tmp/a/b/c/d;=
 touch /tmp/donttouchthis</div><div>### /tmp/donttouchthis is mode 0600 her=
e</div><div>$ ls -l /tmp/donttouchthis<br>$ gdb --args chmod -R u=3Du /tmp/=
a<br>(gdb) b fchmodat <br>(gdb) run<br>Breakpoint 1, fchmodat (fd=3D-100, f=
ile=3D0x5555557640f0 &quot;/tmp/a&quot;, mode=3D493,<br>(gdb) condition 1 !=
strcmp(file, &quot;c&quot;)<br>(gdb) continue<br>Breakpoint 1, fchmodat (fd=
=3D5, file=3D0x55555576d6f8 &quot;c&quot;, mode=3D493, flag=3D0)<br>(gdb) s=
hell cd /tmp/a/b &amp;&amp; mv c noc &amp;&amp; ln -s /tmp/donttouchthis c<=
br>(gdb) continue<br>/bin/chmod: cannot read directory &#39;/tmp/a/b/c&#39;=
: Not a directory<br>[Inferior 1 (process 13718) exited with code 01]<br>(g=
db) shell ls -l /tmp/donttouchthis<br></div><div>### donttouchthis is mode =
0700 here, the old mode of /tmp/a/b/c!</div><div><br></div><div>Note how th=
e mode of /tmp/donttouchthis has been changed from 0600 to 0700,<br>because=
 it got the mode of the directory &#39;/tmp/a/b/c&#39;.<br><br></div></div>=
</div></div></div>

--000000000000691605057638d62d--




Acknowledgement sent to Jeff Epler <jepler@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-coreutils@HIDDEN. Full text available.
Report forwarded to bug-coreutils@HIDDEN:
bug#32772; Package coreutils. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Tue, 30 Oct 2018 04:30:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.