[PATCH 2/2] doc: warn about following symlinks recursively in chown/chgr

coreutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 2/2] doc: warn about following symlinks recursively in chown/chgr

From:	Michael Orlitzky
Subject:	[PATCH 2/2] doc: warn about following symlinks recursively in chown/chgrp
Date:	Thu, 28 Dec 2017 15:52:43 -0500

* doc/coreutils.texi: In both chown and chgrp (which shares
  its code with chown), operating on symlinks recursively
  has a window of vulnerability where the destination user
  or group can change the target of the operation. This commit
  warns about combining the --dereference, --recursive, and -L
  flags.
---
 doc/coreutils.texi | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/doc/coreutils.texi b/doc/coreutils.texi
index de06c0f63..c7460278f 100644
--- a/doc/coreutils.texi
+++ b/doc/coreutils.texi
@@ -1427,6 +1427,9 @@ a command line argument is a symbolic link to a 
directory, traverse it.
 @cindex symbolic link to directory, traverse each that is encountered
 In a recursive traversal, traverse every symbolic link to a directory
 that is encountered.
+This option creates a security risk: an attacker may be able to
+introduce a symlink that reorders the directory traversal, resulting
+in the operation being performed on an arbitrary path of his choosing.
 @end macro
 @choptL
 
@@ -10990,6 +10993,10 @@ chown -h -R --from=OLDUSER NEWUSER /
 @findex lchown
 Do not act on symbolic links themselves but rather on what they point to.
 This is the default when not operating recursively.
+Combining this option with @option{--recursive} (@option{-R}) creates
+a security risk: the @var{new-owner} may be able to introduce a
+symlink that reorders the directory traversal, resulting in
+@code{chown} being called on an arbitrary path of his choosing.
 
 @item -h
 @itemx --no-dereference
@@ -11120,6 +11127,10 @@ changed.
 @findex lchown
 Do not act on symbolic links themselves but rather on what they point to.
 This is the default when not operating recursively.
+Combining this option with @option{--recursive} (@option{-R}) creates
+a security risk: a member of @var{group} may be able to introduce a
+symlink that reorders the directory traversal, resulting in
+@code{chgrp} being called on an arbitrary path of his choosing.
 
 @item -h
 @itemx --no-dereference
-- 
2.13.6

[Prev in Thread]

Current Thread

[Next in Thread]

chown: race condition with --recursive -L, Michael Orlitzky, 2017/12/20
- Re: chown: race condition with --recursive -L, Michael Orlitzky, 2017/12/20
- Re: chown: race condition with --recursive -L, Bernhard Voelker, 2017/12/20
  - Re: chown: race condition with --recursive -L, Michael Orlitzky, 2017/12/20
- Re: chown: race condition with --recursive -L, Michael Orlitzky, 2017/12/28
  - Re: chown: race condition with --recursive -L, Bernhard Voelker, 2017/12/28
    - [PATCH 1/2] doc: clarify chown/chgrp --dereference defaults, Michael Orlitzky, 2017/12/28
    - [PATCH 2/2] doc: warn about following symlinks recursively in chown/chgrp, Michael Orlitzky <=

Prev by Date: [PATCH 1/2] doc: clarify chown/chgrp --dereference defaults
Next by Date: Multibyte support for sort, uniq, join, tr, cut, paste, expand, unexpand, fmt, fold, and pr
Previous by thread: [PATCH 1/2] doc: clarify chown/chgrp --dereference defaults
Next by thread: [PATCH] tests: fix recent portability issues on solaris 10
Index(es):
- Date
- Thread