GNU bug report logs - #11108
chmod: fix symlink race condition

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Pádraig Brady <P <at> draigBrady.com>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#32772: closed (chmod: use O_PATH to avoid TOCTOU bug)
Date: Wed, 20 Mar 2024 19:10:02 +0000

[Message part 1 (text/plain, inline)]

Your message dated Wed, 20 Mar 2024 19:01:22 +0000
with message-id <72010fe2-c127-6462-d8b7-f754a5d87ffa <at> draigBrady.com>
and subject line Re: bug#11108: [PATCH] chmod: fix symlink race condition
has caused the debbugs.gnu.org bug report #11108,
regarding chmod: use O_PATH to avoid TOCTOU bug
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
11108: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=11108
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Jeff Epler <jepler <at> gmail.com>
To: bug-coreutils <at> gnu.org
Subject: TOCTOU bug in chmod
Date: Wed, 19 Sep 2018 07:49:19 -0500

[Message part 3 (text/plain, inline)]

When a directory is replaced with a symlink at a critical moment, `chmod`
will perform the unintended action of changing the mode of the linked-to
file or directory.  I tested in coreutils 8.26 on debian stretch, but
believe that the current version 8.30 and the development version are
vulnerable.

Basically, when chmodat is used here
http://git.savannah.gnu.org/cgit/coreutils.git/tree/src/chmod.c?id=694d10b71e418ef4ea68847185b73544fe03eae2#n273
it will dereference the symlink.  Changing to lchmodat should resolve the
problem, except that on GNU/Linux, it appears this works by passing
AT_SYMLINK_NOFOLLOW to fchmodat, but that flag is noted as "not currently
implemented" in the local man page ("release 4.10 of the Linux man-pages
project").  Consequently, I'm not even sure there is a correct fix
available on this common platform.

Here are my steps to reproduce, which involve using gdb to pause the
execution of chmod while the substitution is made, so that the window of
opportunity is made as large as possible.  I have followed the steps
manually several times, so I hope they are correct and don't have any
transcription errors.

### Note the ironic unsafe use of /tmp
$ umask 077
$ mkdir -p /tmp/a/b/c; touch /tmp/a/b/c/d; touch /tmp/donttouchthis
### /tmp/donttouchthis is mode 0600 here
$ ls -l /tmp/donttouchthis
$ gdb --args chmod -R u=u /tmp/a
(gdb) b fchmodat
(gdb) run
Breakpoint 1, fchmodat (fd=-100, file=0x5555557640f0 "/tmp/a", mode=493,
(gdb) condition 1 !strcmp(file, "c")
(gdb) continue
Breakpoint 1, fchmodat (fd=5, file=0x55555576d6f8 "c", mode=493, flag=0)
(gdb) shell cd /tmp/a/b && mv c noc && ln -s /tmp/donttouchthis c
(gdb) continue
/bin/chmod: cannot read directory '/tmp/a/b/c': Not a directory
[Inferior 1 (process 13718) exited with code 01]
(gdb) shell ls -l /tmp/donttouchthis
### donttouchthis is mode 0700 here, the old mode of /tmp/a/b/c!

Note how the mode of /tmp/donttouchthis has been changed from 0600 to 0700,
because it got the mode of the directory '/tmp/a/b/c'.

[Message part 4 (text/html, inline)]

[Message part 5 (message/rfc822, inline)]

From: Pádraig Brady <P <at> draigBrady.com>
To: 11108-done <at> debbugs.gnu.org
Subject: Re: bug#11108: [PATCH] chmod: fix symlink race condition
Date: Wed, 20 Mar 2024 19:01:22 +0000

On 28/03/2012 21:28, Paul Eggert wrote:
> On 03/28/2012 01:13 PM, Jim Meyering wrote:
>>      $ ./chmod u+w f
>>      ./chmod: changing permissions of 'f': Operation not supported
> 
> Yeouch.  I undid the change for now.
> Hmm, why did "make check" work for me?
> I'll have to investigate later, alas.

Patch for this pushed at:
https://git.sv.gnu.org/cgit/coreutils.git/commit/?id=v9.4-163-g425b8a2f5

Marking this as done.

cheers,
Pádraig.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.