[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 2/2] doc: warn about following symlinks recursively in chown/
|
From: |
Michael Orlitzky |
|
Subject: |
Re: [PATCH 2/2] doc: warn about following symlinks recursively in chown/chgrp |
|
Date: |
Wed, 3 Jan 2018 19:24:31 -0500 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 |
On 01/03/2018 04:24 PM, Bernhard Voelker wrote:
>> +This option creates a security risk: an attacker may be able to
>> +introduce a symlink that reorders the directory traversal, resulting
>> +in the operation being performed on an arbitrary path of his choosing.
>
> I'm not an English native-speaker, and somehow this "reorders the directory
> traversal" thing confuses me, so I doubt that a regular user will find this
> sufficiently explanatory.
And on second thought, it's actually a bit misleading. There are two
symlinks involved,
a) the one that results in a non-depth-first traversal, and
b) the one that points to the file that the attacker wants to steal.
The (a) symlink may not be introduced by the attacker at all. The case
that I originally had in mind was a tarball containing symlinks. If
there's an (a) symlink in the tarball, then e.g. the "apache" user
doesn't have to introduce it to exploit the race by creating the (b)
symlink.
> Can you find some better words along the above lines?
Despite my inability to thread the replies correctly, I just sent one.
If it's still lacking, just say so, I don't mind taking another shot at it.
Re: [PATCH 2/2] doc: warn about following symlinks recursively in chown/chgrp,
Michael Orlitzky <=