GNU bug report logs - #11108
chmod: fix symlink race condition

Previous Next

Package: coreutils;

Reported by: Paul Eggert <eggert <at> cs.ucla.edu>

Date: Wed, 28 Mar 2012 06:01:01 UTC

Severity: wishlist

Tags: patch

Merged with 18280, 32772

Done: Pádraig Brady <P <at> draigBrady.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Jim Meyering <jim <at> meyering.net>
Cc: 11108 <at> debbugs.gnu.org
Subject: bug#11108: [PATCH] chmod: fix symlink race condition
Date: Wed, 28 Mar 2012 11:11:29 -0700

On 03/28/2012 12:36 AM, Jim Meyering wrote:
> I presume you'll update NEWS, too, where you can say
> [bug introduced in the beginning]

Thanks, good point.  I did that in the version I just committed
to the master.

> I note also that this doesn't protect anyone who is using
> a system that lacks both fchmodat and lchmod.

Right; I put that in the NEWS entry.

There are still problems, in the sense that the attacker
can use a hard link to target any visible file on the same filesystem,
by using hard links; but this problem is unavoidable.

> we'd have to openat each file to get a file descriptor,
> then fstat that FD to verify it's the same dev/ino as
> found by the fts-run stat call, and only then, call fchmod.

This might be useful to close other (more-subtle) races
involving things like hard-link manipulation and chmod +X,
where the new mode depends on the old.  A general problem
with using 'open' for this sort of thing, though,
is that 'open' can have side effects on devices.  I wish
there was a variant of 'open' guaranteed to never
hang and never have side effects; then we could play this
sort of game more reliably.
This bug report was last modified 1 year and 118 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.