From unknown Thu Aug 14 22:20:41 2025 X-Loop: help-debbugs@gnu.org Subject: bug#11108: [PATCH] chmod: fix symlink race condition Resent-From: Paul Eggert Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-CC: bug-coreutils@gnu.org Resent-Date: Wed, 28 Mar 2012 06:01:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 11108 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: patch To: 11108@debbugs.gnu.org X-Debbugs-Original-To: bug-coreutils@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.13329144477248 (code B ref -1); Wed, 28 Mar 2012 06:01:01 +0000 Received: (at submit) by debbugs.gnu.org; 28 Mar 2012 06:00:47 +0000 Received: from localhost ([127.0.0.1]:42121 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SClw6-0001sq-DU for submit@debbugs.gnu.org; Wed, 28 Mar 2012 02:00:47 -0400 Received: from eggs.gnu.org ([208.118.235.92]:48947) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SClvX-0001s7-RX for submit@debbugs.gnu.org; Wed, 28 Mar 2012 02:00:44 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SClRC-0002OP-Rc for submit@debbugs.gnu.org; Wed, 28 Mar 2012 01:28:52 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.2 Received: from lists.gnu.org ([208.118.235.17]:59250) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SClRC-0002OK-OW for submit@debbugs.gnu.org; Wed, 28 Mar 2012 01:28:50 -0400 Received: from eggs.gnu.org ([208.118.235.92]:37007) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SClRB-0000b3-37 for bug-coreutils@gnu.org; Wed, 28 Mar 2012 01:28:50 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SClR9-0002Nw-9K for bug-coreutils@gnu.org; Wed, 28 Mar 2012 01:28:48 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]:49915) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SClR9-0002Ni-2s for bug-coreutils@gnu.org; Wed, 28 Mar 2012 01:28:47 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id C4EB139E800F for ; Tue, 27 Mar 2012 22:28:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LTxIpqXyKRXU for ; Tue, 27 Mar 2012 22:28:43 -0700 (PDT) Received: from [192.168.1.10] (pool-71-189-109-235.lsanca.fios.verizon.net [71.189.109.235]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 98F2539E800A for ; Tue, 27 Mar 2012 22:28:43 -0700 (PDT) Message-ID: <4F72A17F.6010308@cs.ucla.edu> Date: Tue, 27 Mar 2012 22:28:31 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20120310 Thunderbird/11.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 208.118.235.17 X-Spam-Score: -1.2 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.2 (------) This fixes what I hope is an obvious race condition that can occur if some other process substitutes a symlink for a non-symlink while chmod is running. ===== * src/chmod.c (process_file): Don't follow symlink if we think the file is not a symlink. --- src/chmod.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) diff --git a/src/chmod.c b/src/chmod.c index aa4ac77..2e1f1c7 100644 --- a/src/chmod.c +++ b/src/chmod.c @@ -268,7 +268,15 @@ process_file (FTS *fts, FTSENT *ent) if (! S_ISLNK (old_mode)) { - if (chmodat (fts->fts_cwd_fd, file, new_mode) == 0) + /* Use any native support for AT_SYMLINK_NOFOLLOW, to avoid + following a symlink if there is a race. */ + #if HAVE_FCHMODAT || HAVE_LCHMOD + int follow_flag = AT_SYMLINK_NOFOLLOW; + #else + int follow_flag = 0; + #endif + + if (fchmodat (fts->fts_cwd_fd, file, new_mode, follow_flag) == 0) chmod_succeeded = true; else { -- 1.7.6.5 From unknown Thu Aug 14 22:20:41 2025 X-Loop: help-debbugs@gnu.org Subject: bug#11108: [PATCH] chmod: fix symlink race condition Resent-From: Jim Meyering Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-CC: bug-coreutils@gnu.org Resent-Date: Wed, 28 Mar 2012 08:08:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 11108 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: patch To: Paul Eggert Cc: 11108@debbugs.gnu.org Received: via spool by 11108-submit@debbugs.gnu.org id=B11108.133292207818488 (code B ref 11108); Wed, 28 Mar 2012 08:08:01 +0000 Received: (at 11108) by debbugs.gnu.org; 28 Mar 2012 08:07:58 +0000 Received: from localhost ([127.0.0.1]:42199 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SCnvC-0004o6-7w for submit@debbugs.gnu.org; Wed, 28 Mar 2012 04:07:58 -0400 Received: from mx.meyering.net ([88.168.87.75]:36306) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SCnud-0004nE-Gx for 11108@debbugs.gnu.org; Wed, 28 Mar 2012 04:07:56 -0400 Received: from rho.meyering.net (localhost.localdomain [127.0.0.1]) by rho.meyering.net (Acme Bit-Twister) with ESMTP id 8CF6F60062; Wed, 28 Mar 2012 09:36:01 +0200 (CEST) From: Jim Meyering In-Reply-To: <4F72A17F.6010308@cs.ucla.edu> (Paul Eggert's message of "Tue, 27 Mar 2012 22:28:31 -0700") References: <4F72A17F.6010308@cs.ucla.edu> Date: Wed, 28 Mar 2012 09:36:01 +0200 Message-ID: <87zkb1uqhq.fsf@rho.meyering.net> Lines: 54 MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -1.9 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.9 (-) Paul Eggert wrote: > This fixes what I hope is an obvious race condition > that can occur if some other process substitutes a > symlink for a non-symlink while chmod is running. Good catch. I'll bet that's exploitable by anyone who can convince root to run "chmod -r ... DIR" on files they own. The chmodat-introducing commit was v5.92-656-gc97a36e, but the preceding use of chmod was just as vulnerable. If you reference a commit in your log, please use "git describe" output, not the bare-8-byte-SHA1 like we've done in the past. While "git describe" output is not converted to a clickable link by a released gitk, with the one in upcoming git-1.7.10, it is. I presume you'll update NEWS, too, where you can say [bug introduced in the beginning] I've confirmed that the very first version of chmod.c has the same problem: it calls stat, then calls chmod whenever !S_ISLNK. I note also that this doesn't protect anyone who is using a system that lacks both fchmodat and lchmod. For that, we'd have to openat each file to get a file descriptor, then fstat that FD to verify it's the same dev/ino as found by the fts-run stat call, and only then, call fchmod. > ===== > * src/chmod.c (process_file): Don't follow symlink if we > think the file is not a symlink. > --- > src/chmod.c | 10 +++++++++- > 1 files changed, 9 insertions(+), 1 deletions(-) > > diff --git a/src/chmod.c b/src/chmod.c > index aa4ac77..2e1f1c7 100644 > --- a/src/chmod.c > +++ b/src/chmod.c > @@ -268,7 +268,15 @@ process_file (FTS *fts, FTSENT *ent) > > if (! S_ISLNK (old_mode)) > { > - if (chmodat (fts->fts_cwd_fd, file, new_mode) == 0) > + /* Use any native support for AT_SYMLINK_NOFOLLOW, to avoid > + following a symlink if there is a race. */ > + #if HAVE_FCHMODAT || HAVE_LCHMOD > + int follow_flag = AT_SYMLINK_NOFOLLOW; > + #else > + int follow_flag = 0; > + #endif > + > + if (fchmodat (fts->fts_cwd_fd, file, new_mode, follow_flag) == 0) > chmod_succeeded = true; > else > { From unknown Thu Aug 14 22:20:41 2025 X-Loop: help-debbugs@gnu.org Subject: bug#11108: [PATCH] chmod: fix symlink race condition Resent-From: Paul Eggert Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-CC: bug-coreutils@gnu.org Resent-Date: Wed, 28 Mar 2012 18:44:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 11108 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: patch To: Jim Meyering Cc: 11108@debbugs.gnu.org Received: via spool by 11108-submit@debbugs.gnu.org id=B11108.133296021228357 (code B ref 11108); Wed, 28 Mar 2012 18:44:01 +0000 Received: (at 11108) by debbugs.gnu.org; 28 Mar 2012 18:43:32 +0000 Received: from localhost ([127.0.0.1]:43640 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SCxqD-0007NH-AP for submit@debbugs.gnu.org; Wed, 28 Mar 2012 14:43:31 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]:50322) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SCxpd-0007Ls-FO for 11108@debbugs.gnu.org; Wed, 28 Mar 2012 14:43:27 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id 4CF7AA60002; Wed, 28 Mar 2012 11:11:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cwzZxM059W2J; Wed, 28 Mar 2012 11:11:29 -0700 (PDT) Received: from penguin.cs.ucla.edu (Penguin.CS.UCLA.EDU [131.179.64.200]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id A959FA60001; Wed, 28 Mar 2012 11:11:29 -0700 (PDT) Message-ID: <4F735451.6000603@cs.ucla.edu> Date: Wed, 28 Mar 2012 11:11:29 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.1) Gecko/20120209 Thunderbird/10.0.1 MIME-Version: 1.0 References: <4F72A17F.6010308@cs.ucla.edu> <87zkb1uqhq.fsf@rho.meyering.net> In-Reply-To: <87zkb1uqhq.fsf@rho.meyering.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Score: -1.9 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.9 (-) On 03/28/2012 12:36 AM, Jim Meyering wrote: > I presume you'll update NEWS, too, where you can say > [bug introduced in the beginning] Thanks, good point. I did that in the version I just committed to the master. > I note also that this doesn't protect anyone who is using > a system that lacks both fchmodat and lchmod. Right; I put that in the NEWS entry. There are still problems, in the sense that the attacker can use a hard link to target any visible file on the same filesystem, by using hard links; but this problem is unavoidable. > we'd have to openat each file to get a file descriptor, > then fstat that FD to verify it's the same dev/ino as > found by the fts-run stat call, and only then, call fchmod. This might be useful to close other (more-subtle) races involving things like hard-link manipulation and chmod +X, where the new mode depends on the old. A general problem with using 'open' for this sort of thing, though, is that 'open' can have side effects on devices. I wish there was a variant of 'open' guaranteed to never hang and never have side effects; then we could play this sort of game more reliably. From unknown Thu Aug 14 22:20:41 2025 X-Loop: help-debbugs@gnu.org Subject: bug#11108: [PATCH] chmod: fix symlink race condition Resent-From: Jim Meyering Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-CC: bug-coreutils@gnu.org Resent-Date: Wed, 28 Mar 2012 20:05:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 11108 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: patch To: Paul Eggert Cc: 11108@debbugs.gnu.org Received: via spool by 11108-submit@debbugs.gnu.org id=B11108.13329650723375 (code B ref 11108); Wed, 28 Mar 2012 20:05:01 +0000 Received: (at 11108) by debbugs.gnu.org; 28 Mar 2012 20:04:32 +0000 Received: from localhost ([127.0.0.1]:43699 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SCz6c-0000sL-Cy for submit@debbugs.gnu.org; Wed, 28 Mar 2012 16:04:31 -0400 Received: from mx.meyering.net ([88.168.87.75]:38312) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SCz63-0000rQ-7a for 11108@debbugs.gnu.org; Wed, 28 Mar 2012 16:04:28 -0400 Received: from rho.meyering.net (localhost.localdomain [127.0.0.1]) by rho.meyering.net (Acme Bit-Twister) with ESMTP id D72F660064; Wed, 28 Mar 2012 21:32:29 +0200 (CEST) From: Jim Meyering In-Reply-To: <4F735451.6000603@cs.ucla.edu> (Paul Eggert's message of "Wed, 28 Mar 2012 11:11:29 -0700") References: <4F72A17F.6010308@cs.ucla.edu> <87zkb1uqhq.fsf@rho.meyering.net> <4F735451.6000603@cs.ucla.edu> Date: Wed, 28 Mar 2012 21:32:29 +0200 Message-ID: <87wr64r06q.fsf@rho.meyering.net> Lines: 33 MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -1.9 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.9 (-) Paul Eggert wrote: > On 03/28/2012 12:36 AM, Jim Meyering wrote: >> I presume you'll update NEWS, too, where you can say >> [bug introduced in the beginning] > > Thanks, good point. I did that in the version I just committed > to the master. > >> I note also that this doesn't protect anyone who is using >> a system that lacks both fchmodat and lchmod. > > Right; I put that in the NEWS entry. > > There are still problems, in the sense that the attacker > can use a hard link to target any visible file on the same filesystem, > by using hard links; but this problem is unavoidable. > >> we'd have to openat each file to get a file descriptor, >> then fstat that FD to verify it's the same dev/ino as >> found by the fts-run stat call, and only then, call fchmod. > > This might be useful to close other (more-subtle) races > involving things like hard-link manipulation and chmod +X, > where the new mode depends on the old. A general problem > with using 'open' for this sort of thing, though, > is that 'open' can have side effects on devices. I wish > there was a variant of 'open' guaranteed to never > hang and never have side effects; then we could play this > sort of game more reliably. Oops. I should not have suggested using open, since it cannot work in general: it would fail for any file that is neither readable nor writable. From unknown Thu Aug 14 22:20:41 2025 X-Loop: help-debbugs@gnu.org Subject: bug#11108: [PATCH] chmod: fix symlink race condition Resent-From: Jim Meyering Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-CC: bug-coreutils@gnu.org Resent-Date: Wed, 28 Mar 2012 20:46:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 11108 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: patch To: Paul Eggert Cc: 11108@debbugs.gnu.org Received: via spool by 11108-submit@debbugs.gnu.org id=B11108.13329675127190 (code B ref 11108); Wed, 28 Mar 2012 20:46:01 +0000 Received: (at 11108) by debbugs.gnu.org; 28 Mar 2012 20:45:12 +0000 Received: from localhost ([127.0.0.1]:43724 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SCzjz-0001rv-IG for submit@debbugs.gnu.org; Wed, 28 Mar 2012 16:45:12 -0400 Received: from mx.meyering.net ([88.168.87.75]:38428) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SCzjR-0001qa-5q for 11108@debbugs.gnu.org; Wed, 28 Mar 2012 16:45:10 -0400 Received: from rho.meyering.net (localhost.localdomain [127.0.0.1]) by rho.meyering.net (Acme Bit-Twister) with ESMTP id 7F4B660081; Wed, 28 Mar 2012 22:13:12 +0200 (CEST) From: Jim Meyering In-Reply-To: <4F735451.6000603@cs.ucla.edu> (Paul Eggert's message of "Wed, 28 Mar 2012 11:11:29 -0700") References: <4F72A17F.6010308@cs.ucla.edu> <87zkb1uqhq.fsf@rho.meyering.net> <4F735451.6000603@cs.ucla.edu> Date: Wed, 28 Mar 2012 22:13:12 +0200 Message-ID: <87fwcsqyav.fsf@rho.meyering.net> Lines: 29 MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -1.9 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.9 (-) Paul Eggert wrote: > On 03/28/2012 12:36 AM, Jim Meyering wrote: >> I presume you'll update NEWS, too, where you can say >> [bug introduced in the beginning] > > Thanks, good point. I did that in the version I just committed > to the master. Rats: $ ./chmod u+w f ./chmod: changing permissions of 'f': Operation not supported That fix introduces chmod failures on several important systems, including my Fedora 17 desktop ;-) I confess that I had not tested it, and had missed or forgotten this part of the GNU/Linux/fchmodat documentation: AT_SYMLINK_NOFOLLOW If pathname is a symbolic link, do not dereference it: instead operate on the link itself. This flag is not currently imple- mented. The nixos/hydra build server is reporting failures, too: http://hydra.nixos.org/build/2341393 http://hydra.nixos.org/build/2341397 http://hydra.nixos.org/build/2341395 From unknown Thu Aug 14 22:20:41 2025 X-Loop: help-debbugs@gnu.org Subject: bug#11108: [PATCH] chmod: fix symlink race condition Resent-From: Paul Eggert Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-CC: bug-coreutils@gnu.org Resent-Date: Wed, 28 Mar 2012 21:00:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 11108 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: patch To: Jim Meyering Cc: 11108@debbugs.gnu.org Received: via spool by 11108-submit@debbugs.gnu.org id=B11108.13329683848534 (code B ref 11108); Wed, 28 Mar 2012 21:00:02 +0000 Received: (at 11108) by debbugs.gnu.org; 28 Mar 2012 20:59:44 +0000 Received: from localhost ([127.0.0.1]:43745 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SCzy1-0002DZ-M0 for submit@debbugs.gnu.org; Wed, 28 Mar 2012 16:59:43 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]:50135) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SCzxl-0002D8-Dh for 11108@debbugs.gnu.org; Wed, 28 Mar 2012 16:59:40 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id B0D8EA60001; Wed, 28 Mar 2012 13:28:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C2HcvVMKMQxF; Wed, 28 Mar 2012 13:28:01 -0700 (PDT) Received: from penguin.cs.ucla.edu (Penguin.CS.UCLA.EDU [131.179.64.200]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 64D2739E800F; Wed, 28 Mar 2012 13:28:01 -0700 (PDT) Message-ID: <4F737451.2090001@cs.ucla.edu> Date: Wed, 28 Mar 2012 13:28:01 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.1) Gecko/20120209 Thunderbird/10.0.1 MIME-Version: 1.0 References: <4F72A17F.6010308@cs.ucla.edu> <87zkb1uqhq.fsf@rho.meyering.net> <4F735451.6000603@cs.ucla.edu> <87fwcsqyav.fsf@rho.meyering.net> In-Reply-To: <87fwcsqyav.fsf@rho.meyering.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Score: -1.9 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.9 (-) On 03/28/2012 01:13 PM, Jim Meyering wrote: > $ ./chmod u+w f > ./chmod: changing permissions of 'f': Operation not supported Yeouch. I undid the change for now. Hmm, why did "make check" work for me? I'll have to investigate later, alas. From debbugs-submit-bounces@debbugs.gnu.org Sat Aug 16 16:55:09 2014 Received: (at control) by debbugs.gnu.org; 16 Aug 2014 20:55:09 +0000 Received: from localhost ([127.0.0.1]:44833 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XIl0G-0002tO-Ga for submit@debbugs.gnu.org; Sat, 16 Aug 2014 16:55:09 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]:51404) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XIl0D-0002sp-Qw for control@debbugs.gnu.org; Sat, 16 Aug 2014 16:55:06 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id 3242139E8018 for ; Sat, 16 Aug 2014 13:55:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QKePLop531gu for ; Sat, 16 Aug 2014 13:54:58 -0700 (PDT) Received: from [192.168.1.9] (pool-71-177-17-123.lsanca.dsl-w.verizon.net [71.177.17.123]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id E5C4239E8011 for ; Sat, 16 Aug 2014 13:54:57 -0700 (PDT) Message-ID: <53EFC521.5070409@cs.ucla.edu> Date: Sat, 16 Aug 2014 13:54:57 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: control@debbugs.gnu.org Subject: 11108 and 18280 are the same bug Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.3 (-) forcemerge 11108 18280 From debbugs-submit-bounces@debbugs.gnu.org Tue Oct 30 00:23:21 2018 Received: (at control) by debbugs.gnu.org; 30 Oct 2018 04:23:21 +0000 Received: from localhost ([127.0.0.1]:52984 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gHLYk-0006dx-SN for submit@debbugs.gnu.org; Tue, 30 Oct 2018 00:23:21 -0400 Received: from mail-pl1-f177.google.com ([209.85.214.177]:39495) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gHLYj-0006di-Qb for control@debbugs.gnu.org; Tue, 30 Oct 2018 00:23:18 -0400 Received: by mail-pl1-f177.google.com with SMTP id b5-v6so4249101pla.6 for ; Mon, 29 Oct 2018 21:23:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:from:message-id:date:user-agent:mime-version:content-language :content-transfer-encoding; bh=4hXRYKoS6AgE+X4xY0E7DE1tpIqms0jYc8T879PJgXk=; b=AtbaE02cfs0w5/lF9eTDrYSTQgHji9Jm9j2cNLQ3PqA2t4ig/meRjdHDADh9q8wgM8 6UqFX06UE3C/lWJOS/+RzDFRm7f++XPxAfpVK1uBEHajM3gPLYzr91R+xoISlF7c+2qe sm5V6FueNirbBdyVFownknkDO1Q2LHZjyWgzcHmm/lQO8K3iLAj9yrCYcD05d5TC4Ka6 oIap+KGwJShOCVurhbaPc/xzcE1FJdAia7L9HswHMiv81vC1fght4wXyrolLmKc0SdSk fFLM6zpUD3HruI5CqcDXrqy6cCof5407U5h1Zffj5+eRqOsKew5gDZuU7wJfXgNe6IH5 GSag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:message-id:date:user-agent:mime-version :content-language:content-transfer-encoding; bh=4hXRYKoS6AgE+X4xY0E7DE1tpIqms0jYc8T879PJgXk=; b=H9opzwkhMBQb9B9sAJmfKSAPJlCNZZVxp6A0VSlxpZKYTzCzh9pc32PgmjWkUhzbCA UN1v7rnXFcwWcgLeD2fOn37MN34F5HP8oKJKwnBEUsps1JXr1AkE8ip+/xydNKsYDOOk ufektl+iJbj5dFgX8Sj/YlmloAilwzpJaX07St9dxr/w6mFKSE6r4u7cnwHuKGeqnHyr NU45mTYPoBVMbU40UtyYan//cduYUnFDAWv5XJd65lPZLXDBkyFhlmGmvBWavwJOUOgz SapfimTJ2ok1cF7nUVDCpmOnPOP34Gmy24/h6jA+CntPUeXyX8NGLJf5yx7Lei/fgZoP s1aw== X-Gm-Message-State: AGRZ1gLee5BaYO08WS6lTyOZsupbQaqaw2IURPCinOLdecvCFvm7ZoqY yoJvqdTKAo07wiIa16veemvG6/QIQSw= X-Google-Smtp-Source: AJdET5eCzTGxHwZlJsnGbmUrho/FaPVEBfJ5PM6gLRcP39nB3uXGbaJ3rRFI3t7b93n3Qe6ix/mVmg== X-Received: by 2002:a17:902:166:: with SMTP id 93-v6mr1825846plb.68.1540873391466; Mon, 29 Oct 2018 21:23:11 -0700 (PDT) Received: from tomato.housegordon.com (moose.housegordon.com. [184.68.105.38]) by smtp.googlemail.com with ESMTPSA id j187-v6sm31048344pfc.39.2018.10.29.21.23.09 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 29 Oct 2018 21:23:10 -0700 (PDT) To: control@debbugs.gnu.org From: Assaf Gordon Message-ID: <09801c4a-1a7b-954b-07cb-8364d64d49e8@gmail.com> Date: Mon, 29 Oct 2018 22:23:09 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Spam-Score: 2.0 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: severity 11108 wishlist retitle 11108 chmod: fix symlink race condition forcemerge 11108 32772 [...] Content analysis details: (2.0 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [209.85.214.177 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (assafgordon[at]gmail.com) 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.0 (+) severity 11108 wishlist retitle 11108 chmod: fix symlink race condition forcemerge 11108 32772 From unknown Thu Aug 14 22:20:41 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Paul Eggert Subject: bug#11108: closed (Re: bug#11108: [PATCH] chmod: fix symlink race condition) Message-ID: References: <72010fe2-c127-6462-d8b7-f754a5d87ffa@draigBrady.com> <4F72A17F.6010308@cs.ucla.edu> X-Gnu-PR-Message: they-closed 11108 X-Gnu-PR-Package: coreutils X-Gnu-PR-Keywords: patch Reply-To: 11108@debbugs.gnu.org Date: Wed, 20 Mar 2024 19:10:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1710961802-22841-1" This is a multi-part message in MIME format... ------------=_1710961802-22841-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #11108: chmod: fix symlink race condition which was filed against the coreutils package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 11108@debbugs.gnu.org. --=20 11108: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D11108 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1710961802-22841-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 11108-done) by debbugs.gnu.org; 20 Mar 2024 19:09:58 +0000 Received: from localhost ([127.0.0.1]:57493 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rn1K1-0005vw-Lh for submit@debbugs.gnu.org; Wed, 20 Mar 2024 15:09:57 -0400 Received: from mail-ed1-f50.google.com ([209.85.208.50]:46090) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rn1Jz-0005vU-Ph for 11108-done@debbugs.gnu.org; Wed, 20 Mar 2024 15:09:56 -0400 Received: by mail-ed1-f50.google.com with SMTP id 4fb4d7f45d1cf-56ba6c83805so183252a12.0 for <11108-done@debbugs.gnu.org>; Wed, 20 Mar 2024 12:09:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710961690; x=1711566490; darn=debbugs.gnu.org; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :sender:from:to:cc:subject:date:message-id:reply-to; bh=4/AAOSpCH4TnoTZc+rJ9YK+eGiGZT5ac1J5FxvFziQw=; b=NMXatxz0NPKafgVhQxJrGWx07HPZ7Wc71ypwsho30Mw9RrM4LDniR8ghY07MBOP/UK v9yYevTO3F17P5aEJMP6aGK1sKOjidZTyWsbdAkk95E+PCejMwPuEW9GE142qChmbfka tHqQyxgyK+zEx2vzZ1natAO0MOgZC1TulBLNWQvJoiL2AFmZuJ397Zk5Uo+gPVQiOzxx 7BG2uCIocCJYIkKgVXVX37Ba5ZxdhpR+95e7mgMeqFqqEBF+MecL6epxnII7VoYYLZtv jjzIvaMPB8tDD7vvAVNXLsBhS3rQjVpAnDvc2TrTP4EkZn0DoD2elGPn4o7WV6lVqyWJ Bdfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710961690; x=1711566490; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :sender:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=4/AAOSpCH4TnoTZc+rJ9YK+eGiGZT5ac1J5FxvFziQw=; b=P2ZiAFiJ3eUgieDwcZGDqP2N5eGVUbkr5B4RDJBi34QCMBcmGBzgM4tieCR1DhCv6K 65NqMAyAZ3tejHvMarViaw8jHtRjM8HCRmO1/BtbhzLOFCFlFSChqbX89NnoqG23VO7Z 5mDOA2RpGYvv+jQzyH5yi4gy8dOtz0/Hc2Suw4GDEXHKGFcsu3SxnntOFxsjB43fO69+ wJFW8fxJGWKfdEenhQfMCxvcw/LjatZnSSnkyTsN/QeqDeDimRFvAYTcSGgRaY/oMqPC tNpTXrHXS2sjwJanP+u9C5FXPsdOQNZIUi0tvPwSutfBeC0yYwH3zIPzCESn5kdaPV+H m8OA== X-Gm-Message-State: AOJu0YxJWPiRDD/9MvI4SyGf4mlWJRVcJas1DvPCix3B8EX0wUX34i/7 lSkezSxgURBr65Ew7SZHaGKheS7kj1Fic/QU0DfC1VAaraq1x+pOajBIaCHy X-Google-Smtp-Source: AGHT+IESLpoHfMlN0AGEK3UiB5Nb1YXuKJMnqnbjgI6YHzKpKyPi6byJOhB5WNA687OYi7z7XBdrVw== X-Received: by 2002:a05:6000:d07:b0:33e:7a71:1a31 with SMTP id dt7-20020a0560000d0700b0033e7a711a31mr13841943wrb.6.1710961283472; Wed, 20 Mar 2024 12:01:23 -0700 (PDT) Received: from [192.168.1.39] (86-44-211-146-dynamic.agg2.lod.rsl-rtd.eircom.net. [86.44.211.146]) by smtp.googlemail.com with ESMTPSA id n2-20020a5d4002000000b0033e93e00f68sm15293191wrp.61.2024.03.20.12.01.22 for <11108-done@debbugs.gnu.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 20 Mar 2024 12:01:22 -0700 (PDT) Message-ID: <72010fe2-c127-6462-d8b7-f754a5d87ffa@draigBrady.com> Date: Wed, 20 Mar 2024 19:01:22 +0000 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: bug#11108: [PATCH] chmod: fix symlink race condition Content-Language: en-US To: 11108-done@debbugs.gnu.org References: <4F72A17F.6010308@cs.ucla.edu> <87zkb1uqhq.fsf@rho.meyering.net> <4F735451.6000603@cs.ucla.edu> <87fwcsqyav.fsf@rho.meyering.net> <4F737451.2090001@cs.ucla.edu> From: =?UTF-8?Q?P=C3=A1draig_Brady?= In-Reply-To: <4F737451.2090001@cs.ucla.edu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: 11108-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) On 28/03/2012 21:28, Paul Eggert wrote: > On 03/28/2012 01:13 PM, Jim Meyering wrote: >> $ ./chmod u+w f >> ./chmod: changing permissions of 'f': Operation not supported > > Yeouch. I undid the change for now. > Hmm, why did "make check" work for me? > I'll have to investigate later, alas. Patch for this pushed at: https://git.sv.gnu.org/cgit/coreutils.git/commit/?id=v9.4-163-g425b8a2f5 Marking this as done. cheers, Pádraig. ------------=_1710961802-22841-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 28 Mar 2012 06:00:47 +0000 Received: from localhost ([127.0.0.1]:42121 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SClw6-0001sq-DU for submit@debbugs.gnu.org; Wed, 28 Mar 2012 02:00:47 -0400 Received: from eggs.gnu.org ([208.118.235.92]:48947) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SClvX-0001s7-RX for submit@debbugs.gnu.org; Wed, 28 Mar 2012 02:00:44 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SClRC-0002OP-Rc for submit@debbugs.gnu.org; Wed, 28 Mar 2012 01:28:52 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.2 Received: from lists.gnu.org ([208.118.235.17]:59250) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SClRC-0002OK-OW for submit@debbugs.gnu.org; Wed, 28 Mar 2012 01:28:50 -0400 Received: from eggs.gnu.org ([208.118.235.92]:37007) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SClRB-0000b3-37 for bug-coreutils@gnu.org; Wed, 28 Mar 2012 01:28:50 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SClR9-0002Nw-9K for bug-coreutils@gnu.org; Wed, 28 Mar 2012 01:28:48 -0400 Received: from smtp.cs.ucla.edu ([131.179.128.62]:49915) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SClR9-0002Ni-2s for bug-coreutils@gnu.org; Wed, 28 Mar 2012 01:28:47 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id C4EB139E800F for ; Tue, 27 Mar 2012 22:28:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LTxIpqXyKRXU for ; Tue, 27 Mar 2012 22:28:43 -0700 (PDT) Received: from [192.168.1.10] (pool-71-189-109-235.lsanca.fios.verizon.net [71.189.109.235]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 98F2539E800A for ; Tue, 27 Mar 2012 22:28:43 -0700 (PDT) Message-ID: <4F72A17F.6010308@cs.ucla.edu> Date: Tue, 27 Mar 2012 22:28:31 -0700 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20120310 Thunderbird/11.0 MIME-Version: 1.0 To: bug-coreutils@gnu.org Subject: [PATCH] chmod: fix symlink race condition Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 208.118.235.17 X-Spam-Score: -1.2 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -6.2 (------) This fixes what I hope is an obvious race condition that can occur if some other process substitutes a symlink for a non-symlink while chmod is running. ===== * src/chmod.c (process_file): Don't follow symlink if we think the file is not a symlink. --- src/chmod.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) diff --git a/src/chmod.c b/src/chmod.c index aa4ac77..2e1f1c7 100644 --- a/src/chmod.c +++ b/src/chmod.c @@ -268,7 +268,15 @@ process_file (FTS *fts, FTSENT *ent) if (! S_ISLNK (old_mode)) { - if (chmodat (fts->fts_cwd_fd, file, new_mode) == 0) + /* Use any native support for AT_SYMLINK_NOFOLLOW, to avoid + following a symlink if there is a race. */ + #if HAVE_FCHMODAT || HAVE_LCHMOD + int follow_flag = AT_SYMLINK_NOFOLLOW; + #else + int follow_flag = 0; + #endif + + if (fchmodat (fts->fts_cwd_fd, file, new_mode, follow_flag) == 0) chmod_succeeded = true; else { -- 1.7.6.5 ------------=_1710961802-22841-1-- From unknown Thu Aug 14 22:20:41 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Tobias Stoeckmann Subject: bug#18280: closed (Re: bug#11108: [PATCH] chmod: fix symlink race condition) Message-ID: References: <72010fe2-c127-6462-d8b7-f754a5d87ffa@draigBrady.com> <20140816174447.GA3384@fungi.pizza.local> X-Gnu-PR-Message: they-closed 18280 X-Gnu-PR-Package: coreutils X-Gnu-PR-Keywords: patch Reply-To: 18280@debbugs.gnu.org Date: Wed, 20 Mar 2024 19:10:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1710961802-22841-3" This is a multi-part message in MIME format... ------------=_1710961802-22841-3 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #11108: chmod: fix symlink race condition which was filed against the coreutils package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 18280@debbugs.gnu.org. --=20 11108: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D11108 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1710961802-22841-3 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 11108-done) by debbugs.gnu.org; 20 Mar 2024 19:09:58 +0000 Received: from localhost ([127.0.0.1]:57493 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rn1K1-0005vw-Lh for submit@debbugs.gnu.org; Wed, 20 Mar 2024 15:09:57 -0400 Received: from mail-ed1-f50.google.com ([209.85.208.50]:46090) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rn1Jz-0005vU-Ph for 11108-done@debbugs.gnu.org; Wed, 20 Mar 2024 15:09:56 -0400 Received: by mail-ed1-f50.google.com with SMTP id 4fb4d7f45d1cf-56ba6c83805so183252a12.0 for <11108-done@debbugs.gnu.org>; Wed, 20 Mar 2024 12:09:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710961690; x=1711566490; darn=debbugs.gnu.org; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :sender:from:to:cc:subject:date:message-id:reply-to; bh=4/AAOSpCH4TnoTZc+rJ9YK+eGiGZT5ac1J5FxvFziQw=; b=NMXatxz0NPKafgVhQxJrGWx07HPZ7Wc71ypwsho30Mw9RrM4LDniR8ghY07MBOP/UK v9yYevTO3F17P5aEJMP6aGK1sKOjidZTyWsbdAkk95E+PCejMwPuEW9GE142qChmbfka tHqQyxgyK+zEx2vzZ1natAO0MOgZC1TulBLNWQvJoiL2AFmZuJ397Zk5Uo+gPVQiOzxx 7BG2uCIocCJYIkKgVXVX37Ba5ZxdhpR+95e7mgMeqFqqEBF+MecL6epxnII7VoYYLZtv jjzIvaMPB8tDD7vvAVNXLsBhS3rQjVpAnDvc2TrTP4EkZn0DoD2elGPn4o7WV6lVqyWJ Bdfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710961690; x=1711566490; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :sender:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=4/AAOSpCH4TnoTZc+rJ9YK+eGiGZT5ac1J5FxvFziQw=; b=P2ZiAFiJ3eUgieDwcZGDqP2N5eGVUbkr5B4RDJBi34QCMBcmGBzgM4tieCR1DhCv6K 65NqMAyAZ3tejHvMarViaw8jHtRjM8HCRmO1/BtbhzLOFCFlFSChqbX89NnoqG23VO7Z 5mDOA2RpGYvv+jQzyH5yi4gy8dOtz0/Hc2Suw4GDEXHKGFcsu3SxnntOFxsjB43fO69+ wJFW8fxJGWKfdEenhQfMCxvcw/LjatZnSSnkyTsN/QeqDeDimRFvAYTcSGgRaY/oMqPC tNpTXrHXS2sjwJanP+u9C5FXPsdOQNZIUi0tvPwSutfBeC0yYwH3zIPzCESn5kdaPV+H m8OA== X-Gm-Message-State: AOJu0YxJWPiRDD/9MvI4SyGf4mlWJRVcJas1DvPCix3B8EX0wUX34i/7 lSkezSxgURBr65Ew7SZHaGKheS7kj1Fic/QU0DfC1VAaraq1x+pOajBIaCHy X-Google-Smtp-Source: AGHT+IESLpoHfMlN0AGEK3UiB5Nb1YXuKJMnqnbjgI6YHzKpKyPi6byJOhB5WNA687OYi7z7XBdrVw== X-Received: by 2002:a05:6000:d07:b0:33e:7a71:1a31 with SMTP id dt7-20020a0560000d0700b0033e7a711a31mr13841943wrb.6.1710961283472; Wed, 20 Mar 2024 12:01:23 -0700 (PDT) Received: from [192.168.1.39] (86-44-211-146-dynamic.agg2.lod.rsl-rtd.eircom.net. [86.44.211.146]) by smtp.googlemail.com with ESMTPSA id n2-20020a5d4002000000b0033e93e00f68sm15293191wrp.61.2024.03.20.12.01.22 for <11108-done@debbugs.gnu.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 20 Mar 2024 12:01:22 -0700 (PDT) Message-ID: <72010fe2-c127-6462-d8b7-f754a5d87ffa@draigBrady.com> Date: Wed, 20 Mar 2024 19:01:22 +0000 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: bug#11108: [PATCH] chmod: fix symlink race condition Content-Language: en-US To: 11108-done@debbugs.gnu.org References: <4F72A17F.6010308@cs.ucla.edu> <87zkb1uqhq.fsf@rho.meyering.net> <4F735451.6000603@cs.ucla.edu> <87fwcsqyav.fsf@rho.meyering.net> <4F737451.2090001@cs.ucla.edu> From: =?UTF-8?Q?P=C3=A1draig_Brady?= In-Reply-To: <4F737451.2090001@cs.ucla.edu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: 11108-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) On 28/03/2012 21:28, Paul Eggert wrote: > On 03/28/2012 01:13 PM, Jim Meyering wrote: >> $ ./chmod u+w f >> ./chmod: changing permissions of 'f': Operation not supported > > Yeouch. I undid the change for now. > Hmm, why did "make check" work for me? > I'll have to investigate later, alas. Patch for this pushed at: https://git.sv.gnu.org/cgit/coreutils.git/commit/?id=v9.4-163-g425b8a2f5 Marking this as done. cheers, Pádraig. ------------=_1710961802-22841-3 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 16 Aug 2014 17:46:28 +0000 Received: from localhost ([127.0.0.1]:44784 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XIi3g-0004fD-9b for submit@debbugs.gnu.org; Sat, 16 Aug 2014 13:46:28 -0400 Received: from eggs.gnu.org ([208.118.235.92]:51059) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1XIi2e-0004cJ-A4 for submit@debbugs.gnu.org; Sat, 16 Aug 2014 13:45:24 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XIi2P-00077n-4O for submit@debbugs.gnu.org; Sat, 16 Aug 2014 13:45:18 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:50400) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XIi2P-00077j-1p for submit@debbugs.gnu.org; Sat, 16 Aug 2014 13:45:09 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:52767) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XIi2H-0001CC-Gz for bug-coreutils@gnu.org; Sat, 16 Aug 2014 13:45:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XIi2A-0006vh-1h for bug-coreutils@gnu.org; Sat, 16 Aug 2014 13:45:01 -0400 Received: from mout.kundenserver.de ([212.227.126.131]:65358) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XIi29-0006vS-O7 for bug-coreutils@gnu.org; Sat, 16 Aug 2014 13:44:53 -0400 Received: from fungi.pizza.local (p4FE317A0.dip0.t-ipconnect.de [79.227.23.160]) by mrelayeu.kundenserver.de (node=mreue003) with ESMTP (Nemesis) id 0LqYDd-1WnTwh44dl-00e8Tr; Sat, 16 Aug 2014 19:44:51 +0200 Received: from fungi.pizza.local (localhost [127.0.0.1]) by fungi.pizza.local (8.14.8/8.14.8) with ESMTP id s7GHimvM024554 for ; Sat, 16 Aug 2014 19:44:48 +0200 (CEST) Received: (from tobias@localhost) by fungi.pizza.local (8.14.8/8.14.8/Submit) id s7GHimeo016773 for bug-coreutils@gnu.org; Sat, 16 Aug 2014 19:44:48 +0200 (CEST) Date: Sat, 16 Aug 2014 19:44:47 +0200 From: Tobias Stoeckmann To: bug-coreutils@gnu.org Subject: chmod: race condition Message-ID: <20140816174447.GA3384@fungi.pizza.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.22 (2013-10-16) X-Provags-ID: V02:K0:XtGISlbyjRYj8uzZD2vayXDdUOUzsgPE0jzFTvPvzni 7JKKJVDIW6zIeNXuic1k7vKgLYRD9zwlpsS9FS3SU3Cr4DJwCa KCbEyolJT0Y+MQlKtnDrP2+4jiPQpIVliGn8Kft3OZ1l8FPAET hwO/kbYqRZ1udXW2GGoYxK425WKsvqixzQx2CsRVel2pyiHZo2 YTLaX20GSu/4cSx0Ullf8OrfXy0BtDUn9qeFJxRxT5pjGvHxiJ +vkRFT1uVvxcB0/DvKosucbmOaZwKyWUcqyKyhzRUV7tm3ufJh t/MsknO+UQOKo0Lr6IrhYMWFE5dawV4FmLB8yTo8JRsz198y+B HncI2Ce5Vzdjx3DBi9U0jBJSjd4cwLG4G5EG0Aoy5tZWv9Ue/m qVIKSMggF0Xsg== X-UI-Out-Filterresults: notjunk:1; X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [generic] X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Sat, 16 Aug 2014 13:46:27 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Hi, chmod is vulnerable to a TOCTTOU (time of check to time of use) race condition. Tested this on an OpenBSD system. For people unfamiliar with OpenBSD, /etc/master.passwd basically equals /etc/shadow: # chmod --version | head -n 1 chmod (GNU coreutils) 8.23 # ls -l /etc/master.passwd -rw------- 1 root wheel 4244 Jul 23 21:14 /etc/master.passwd # chmod -R g+w /usr/src # ls -l /etc/master.passwd -rw-rw-r-- 1 root wheel 4244 Jul 23 21:14 /etc/master.passwd $ rm /usr/src/Makefile $ ln -s /etc/master.passwd /usr/src/Makefile For the second console, the user belonged to the same group as /usr/src (wsrc in this example). The second console is able to modify Makefile because the directory /usr/src was already made group-writable. The race happens in src/chmod.c, around function process_file. Before it gets called, fts_read() retrieved information about the _file_ Makefile, i.e. before the second console removed it. Then the file gets replaced by a symlink, pointing to a file we want to get modified. Now chmodat() resolves the path again and actually evaluates the _symlink_. The destination file /etc/master.passwd can be happily parsed by the attacker now. I won't supply a patch now, as I remember that GNU is a bit picky about accepting patches from everyone. But I will recommend to look into the use of fchmodat() instead, supplying the argument AT_SYMLINK_NOFOLLOW. We discuss this solution at OpenBSD currently. Tobias ------------=_1710961802-22841-3-- From unknown Thu Aug 14 22:20:41 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Jeff Epler Subject: bug#32772: closed (Re: bug#11108: [PATCH] chmod: fix symlink race condition) Message-ID: References: <72010fe2-c127-6462-d8b7-f754a5d87ffa@draigBrady.com> X-Gnu-PR-Message: they-closed 32772 X-Gnu-PR-Package: coreutils X-Gnu-PR-Keywords: patch Reply-To: 32772@debbugs.gnu.org Date: Wed, 20 Mar 2024 19:10:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1710961803-22841-5" This is a multi-part message in MIME format... ------------=_1710961803-22841-5 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #11108: chmod: use O_PATH to avoid TOCTOU bug which was filed against the coreutils package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 32772@debbugs.gnu.org. --=20 11108: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D11108 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1710961803-22841-5 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 11108-done) by debbugs.gnu.org; 20 Mar 2024 19:09:58 +0000 Received: from localhost ([127.0.0.1]:57493 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rn1K1-0005vw-Lh for submit@debbugs.gnu.org; Wed, 20 Mar 2024 15:09:57 -0400 Received: from mail-ed1-f50.google.com ([209.85.208.50]:46090) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rn1Jz-0005vU-Ph for 11108-done@debbugs.gnu.org; Wed, 20 Mar 2024 15:09:56 -0400 Received: by mail-ed1-f50.google.com with SMTP id 4fb4d7f45d1cf-56ba6c83805so183252a12.0 for <11108-done@debbugs.gnu.org>; Wed, 20 Mar 2024 12:09:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710961690; x=1711566490; darn=debbugs.gnu.org; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :sender:from:to:cc:subject:date:message-id:reply-to; bh=4/AAOSpCH4TnoTZc+rJ9YK+eGiGZT5ac1J5FxvFziQw=; b=NMXatxz0NPKafgVhQxJrGWx07HPZ7Wc71ypwsho30Mw9RrM4LDniR8ghY07MBOP/UK v9yYevTO3F17P5aEJMP6aGK1sKOjidZTyWsbdAkk95E+PCejMwPuEW9GE142qChmbfka tHqQyxgyK+zEx2vzZ1natAO0MOgZC1TulBLNWQvJoiL2AFmZuJ397Zk5Uo+gPVQiOzxx 7BG2uCIocCJYIkKgVXVX37Ba5ZxdhpR+95e7mgMeqFqqEBF+MecL6epxnII7VoYYLZtv jjzIvaMPB8tDD7vvAVNXLsBhS3rQjVpAnDvc2TrTP4EkZn0DoD2elGPn4o7WV6lVqyWJ Bdfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710961690; x=1711566490; h=content-transfer-encoding:in-reply-to:from:references:to :content-language:subject:user-agent:mime-version:date:message-id :sender:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=4/AAOSpCH4TnoTZc+rJ9YK+eGiGZT5ac1J5FxvFziQw=; b=P2ZiAFiJ3eUgieDwcZGDqP2N5eGVUbkr5B4RDJBi34QCMBcmGBzgM4tieCR1DhCv6K 65NqMAyAZ3tejHvMarViaw8jHtRjM8HCRmO1/BtbhzLOFCFlFSChqbX89NnoqG23VO7Z 5mDOA2RpGYvv+jQzyH5yi4gy8dOtz0/Hc2Suw4GDEXHKGFcsu3SxnntOFxsjB43fO69+ wJFW8fxJGWKfdEenhQfMCxvcw/LjatZnSSnkyTsN/QeqDeDimRFvAYTcSGgRaY/oMqPC tNpTXrHXS2sjwJanP+u9C5FXPsdOQNZIUi0tvPwSutfBeC0yYwH3zIPzCESn5kdaPV+H m8OA== X-Gm-Message-State: AOJu0YxJWPiRDD/9MvI4SyGf4mlWJRVcJas1DvPCix3B8EX0wUX34i/7 lSkezSxgURBr65Ew7SZHaGKheS7kj1Fic/QU0DfC1VAaraq1x+pOajBIaCHy X-Google-Smtp-Source: AGHT+IESLpoHfMlN0AGEK3UiB5Nb1YXuKJMnqnbjgI6YHzKpKyPi6byJOhB5WNA687OYi7z7XBdrVw== X-Received: by 2002:a05:6000:d07:b0:33e:7a71:1a31 with SMTP id dt7-20020a0560000d0700b0033e7a711a31mr13841943wrb.6.1710961283472; Wed, 20 Mar 2024 12:01:23 -0700 (PDT) Received: from [192.168.1.39] (86-44-211-146-dynamic.agg2.lod.rsl-rtd.eircom.net. [86.44.211.146]) by smtp.googlemail.com with ESMTPSA id n2-20020a5d4002000000b0033e93e00f68sm15293191wrp.61.2024.03.20.12.01.22 for <11108-done@debbugs.gnu.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 20 Mar 2024 12:01:22 -0700 (PDT) Message-ID: <72010fe2-c127-6462-d8b7-f754a5d87ffa@draigBrady.com> Date: Wed, 20 Mar 2024 19:01:22 +0000 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: bug#11108: [PATCH] chmod: fix symlink race condition Content-Language: en-US To: 11108-done@debbugs.gnu.org References: <4F72A17F.6010308@cs.ucla.edu> <87zkb1uqhq.fsf@rho.meyering.net> <4F735451.6000603@cs.ucla.edu> <87fwcsqyav.fsf@rho.meyering.net> <4F737451.2090001@cs.ucla.edu> From: =?UTF-8?Q?P=C3=A1draig_Brady?= In-Reply-To: <4F737451.2090001@cs.ucla.edu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: 11108-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.8 (/) On 28/03/2012 21:28, Paul Eggert wrote: > On 03/28/2012 01:13 PM, Jim Meyering wrote: >> $ ./chmod u+w f >> ./chmod: changing permissions of 'f': Operation not supported > > Yeouch. I undid the change for now. > Hmm, why did "make check" work for me? > I'll have to investigate later, alas. Patch for this pushed at: https://git.sv.gnu.org/cgit/coreutils.git/commit/?id=v9.4-163-g425b8a2f5 Marking this as done. cheers, Pádraig. ------------=_1710961803-22841-5 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 19 Sep 2018 15:04:30 +0000 Received: from localhost ([127.0.0.1]:45864 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g2e1k-0003uf-As for submit@debbugs.gnu.org; Wed, 19 Sep 2018 11:04:30 -0400 Received: from eggs.gnu.org ([208.118.235.92]:35827) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g2bvM-00088j-Ju for submit@debbugs.gnu.org; Wed, 19 Sep 2018 08:49:44 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1g2bvF-0002Jx-Pd for submit@debbugs.gnu.org; Wed, 19 Sep 2018 08:49:38 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM, HTML_MESSAGE,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:55680) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1g2bvF-0002Jp-M4 for submit@debbugs.gnu.org; Wed, 19 Sep 2018 08:49:37 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:56787) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1g2bvC-0002jd-PL for bug-coreutils@gnu.org; Wed, 19 Sep 2018 08:49:37 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1g2bvB-0002GF-Gx for bug-coreutils@gnu.org; Wed, 19 Sep 2018 08:49:34 -0400 Received: from mail-oi0-x22d.google.com ([2607:f8b0:4003:c06::22d]:39390) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1g2bvB-0002Ea-8A for bug-coreutils@gnu.org; Wed, 19 Sep 2018 08:49:33 -0400 Received: by mail-oi0-x22d.google.com with SMTP id c190-v6so4940770oig.6 for ; Wed, 19 Sep 2018 05:49:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=dnzxmbHMec3Dyrr6dyOyPIvzRmfPEHmDKVA3CRJG9bo=; b=daYLwshfoQqy9iABlnQj+1uavSeqv6qnKkXSM+jI9U17s809u35/TFVNYdhgN4phzX PNOsFmhaemBi+BwwVBfNZ+g1TVi8oYEjms5u43/EcO/wuRv8gHV3ywo+ljvReD7dFcMb 07VULJwBSHSUQ7QaWzpkKwNEIaTAePUosBxmt3f+jSN4/ovnnaa1hlKDB2Fu4z3D9QkL 1nU67uT7SDtOAvU1aIqiEE3IvCoOfekBpnLbP1xab7wbu3mMZMQNayQyFgSZDNM1Z+ui 1H0xYHtTqCOsWG/Rzz+LRVpXcodS9wfbLtWZK6vCTl+bI/gNZGU/+xYGz57Z+W872VXN Y45w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=dnzxmbHMec3Dyrr6dyOyPIvzRmfPEHmDKVA3CRJG9bo=; b=iVpPb1kNiDaVNxIYvkkBzzKGUc3NZ19MobkK7zl/mhyRO/xCFwC1iFzgb4GXtw6/xl qEMi52IU3HXEICWLaGxbbbwcReSJ52P4emoV1yQNziiD+9pUyfxWctArAGx1iiBC65cl hXmrQbadsjDsNo8HUau3iFe4D4fXrJE6ICQa7j+Gfds09rXdmDp4LfiwbkOKcXa+H2hb 1KhZ6o5DSLwUphIpeYXEMiGK09aH23gzmyfs62MvSue8JmwqVObH+mV7e11si+s2C40s vC4x/0hys69xSV+Qr7P4CCTSVHHmGjIqiKVQxuFrYlw1DgzDQhQrD0e8e+vHELe7Fae1 1IZQ== X-Gm-Message-State: APzg51AqUK9/8gD1XRpo5sjj1Wo944AKIVrVBMPiXUV3qBGAb3GHg3T9 Ah7kkISjukLbuORF7IwP1RSemRgOV1yb7sDxIR19aZgj X-Google-Smtp-Source: ANB0VdZafAGYgr+sY9gBxtWuJywl11/9HkIvX1K4aIKyi+1xGeygV6pNXxWMrG3oLzJ9hx6pDkxH8+IZVELPvlhGrmA= X-Received: by 2002:aca:3985:: with SMTP id g127-v6mr1455918oia.267.1537361371009; Wed, 19 Sep 2018 05:49:31 -0700 (PDT) MIME-Version: 1.0 From: Jeff Epler Date: Wed, 19 Sep 2018 07:49:19 -0500 Message-ID: Subject: TOCTOU bug in chmod To: bug-coreutils@gnu.org Content-Type: multipart/alternative; boundary="000000000000691605057638d62d" X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Wed, 19 Sep 2018 11:04:27 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) --000000000000691605057638d62d Content-Type: text/plain; charset="UTF-8" When a directory is replaced with a symlink at a critical moment, `chmod` will perform the unintended action of changing the mode of the linked-to file or directory. I tested in coreutils 8.26 on debian stretch, but believe that the current version 8.30 and the development version are vulnerable. Basically, when chmodat is used here http://git.savannah.gnu.org/cgit/coreutils.git/tree/src/chmod.c?id=694d10b71e418ef4ea68847185b73544fe03eae2#n273 it will dereference the symlink. Changing to lchmodat should resolve the problem, except that on GNU/Linux, it appears this works by passing AT_SYMLINK_NOFOLLOW to fchmodat, but that flag is noted as "not currently implemented" in the local man page ("release 4.10 of the Linux man-pages project"). Consequently, I'm not even sure there is a correct fix available on this common platform. Here are my steps to reproduce, which involve using gdb to pause the execution of chmod while the substitution is made, so that the window of opportunity is made as large as possible. I have followed the steps manually several times, so I hope they are correct and don't have any transcription errors. ### Note the ironic unsafe use of /tmp $ umask 077 $ mkdir -p /tmp/a/b/c; touch /tmp/a/b/c/d; touch /tmp/donttouchthis ### /tmp/donttouchthis is mode 0600 here $ ls -l /tmp/donttouchthis $ gdb --args chmod -R u=u /tmp/a (gdb) b fchmodat (gdb) run Breakpoint 1, fchmodat (fd=-100, file=0x5555557640f0 "/tmp/a", mode=493, (gdb) condition 1 !strcmp(file, "c") (gdb) continue Breakpoint 1, fchmodat (fd=5, file=0x55555576d6f8 "c", mode=493, flag=0) (gdb) shell cd /tmp/a/b && mv c noc && ln -s /tmp/donttouchthis c (gdb) continue /bin/chmod: cannot read directory '/tmp/a/b/c': Not a directory [Inferior 1 (process 13718) exited with code 01] (gdb) shell ls -l /tmp/donttouchthis ### donttouchthis is mode 0700 here, the old mode of /tmp/a/b/c! Note how the mode of /tmp/donttouchthis has been changed from 0600 to 0700, because it got the mode of the directory '/tmp/a/b/c'. --000000000000691605057638d62d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Wh= en a directory is replaced with a symlink at a critical moment, `chmod` wil= l perform the unintended action of changing the mode of the linked-to file = or directory.=C2=A0 I tested in coreutils 8.26 on debian stretch, but belie= ve that the current version 8.30 and the development version are vulnerable= .

Basically, when chmodat is used here http://git.savannah.gnu.org/cgit/c= oreutils.git/tree/src/chmod.c?id=3D694d10b71e418ef4ea68847185b73544fe03eae2= #n273 it will dereference the symlink.=C2=A0 Changing to lchmodat shoul= d resolve the problem, except that on GNU/Linux, it appears this works by p= assing AT_SYMLINK_NOFOLLOW to fchmodat, but that flag is noted as "not= currently implemented" in the local man page ("release 4.10 of t= he Linux man-pages project").=C2=A0 Consequently, I'm not even sur= e there is a correct fix available on this common platform.
<= br>
Here are my steps to reproduce, which involve using gdb to pa= use the execution of chmod while the substitution is made, so that the wind= ow of opportunity is made as large as possible.=C2=A0 I have followed the s= teps manually several times, so I hope they are correct and don't have = any transcription errors.

### Note the ironic unsa= fe use of /tmp
$ umask 077
$ mkdir -p /tmp/a/b/c; touch /tmp/a/b/c/d;= touch /tmp/donttouchthis
### /tmp/donttouchthis is mode 0600 her= e
$ ls -l /tmp/donttouchthis
$ gdb --args chmod -R u=3Du /tmp/= a
(gdb) b fchmodat
(gdb) run
Breakpoint 1, fchmodat (fd=3D-100, f= ile=3D0x5555557640f0 "/tmp/a", mode=3D493,
(gdb) condition 1 != strcmp(file, "c")
(gdb) continue
Breakpoint 1, fchmodat (fd= =3D5, file=3D0x55555576d6f8 "c", mode=3D493, flag=3D0)
(gdb) s= hell cd /tmp/a/b && mv c noc && ln -s /tmp/donttouchthis c<= br>(gdb) continue
/bin/chmod: cannot read directory '/tmp/a/b/c'= : Not a directory
[Inferior 1 (process 13718) exited with code 01]
(g= db) shell ls -l /tmp/donttouchthis
### donttouchthis is mode = 0700 here, the old mode of /tmp/a/b/c!

Note how th= e mode of /tmp/donttouchthis has been changed from 0600 to 0700,
because= it got the mode of the directory '/tmp/a/b/c'.

=
--000000000000691605057638d62d-- ------------=_1710961803-22841-5--