| Brad Bishop | 220d553 | 2018-08-14 00:59:39 +0100 | [diff] [blame] | 1 | From bc2fd9796403e03bb757b064d44c22fab92e6842 Mon Sep 17 00:00:00 2001 |
| 2 | From: Michael Orlitzky <michael@orlitzky.com> |
| 3 | Date: Thu, 4 Jan 2018 11:38:21 -0500 |
| 4 | Subject: doc: warn about following symlinks recursively in chown/chgrp |
| 5 | |
| 6 | In both chown and chgrp (which shares its code with chown), operating |
| 7 | on symlinks recursively has a window of vulnerability where the |
| 8 | destination user or group can change the target of the operation. |
| 9 | Warn about combining the --dereference, --recursive, and -L flags. |
| 10 | |
| 11 | * doc/coreutils.texi (warnOptDerefWithRec): Add macro. |
| 12 | (node chown invocation): Add it to --dereference and -L. |
| 13 | (node chgrp invocation): Likewise. |
| 14 | |
| 15 | See also: CVE-2017-18018 |
| 16 | CVE: CVE-2017-18018 |
| 17 | Upstream-Status: Backport from v8.30 |
| 18 | |
| 19 | Signed-off-by: Michael Orlitzky <michael@orlitzky.com> |
| 20 | Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> |
| 21 | --- |
| 22 | doc/coreutils.texi | 17 +++++++++++++++++ |
| 23 | 1 file changed, 17 insertions(+) |
| 24 | |
| 25 | diff --git a/doc/coreutils.texi b/doc/coreutils.texi |
| 26 | index 6bb9f09..9f5f95b 100644 |
| 27 | --- a/doc/coreutils.texi |
| 28 | +++ b/doc/coreutils.texi |
| 29 | @@ -1428,6 +1428,19 @@ a command line argument is a symbolic link to a directory, traverse it. |
| 30 | In a recursive traversal, traverse every symbolic link to a directory |
| 31 | that is encountered. |
| 32 | @end macro |
| 33 | + |
| 34 | +@c Append the following warning to -L where appropriate (e.g. chown). |
| 35 | +@macro warnOptDerefWithRec |
| 36 | + |
| 37 | +Combining this dereferencing option with the @option{--recursive} option |
| 38 | +may create a security risk: |
| 39 | +During the traversal of the directory tree, an attacker may be able to |
| 40 | +introduce a symlink to an arbitrary target; when the tool reaches that, |
| 41 | +the operation will be performed on the target of that symlink, |
| 42 | +possibly allowing the attacker to escalate privileges. |
| 43 | + |
| 44 | +@end macro |
| 45 | + |
| 46 | @choptL |
| 47 | |
| 48 | @macro choptP |
| 49 | @@ -10995,6 +11008,7 @@ chown -h -R --from=OLDUSER NEWUSER / |
| 50 | @findex lchown |
| 51 | Do not act on symbolic links themselves but rather on what they point to. |
| 52 | This is the default when not operating recursively. |
| 53 | +@warnOptDerefWithRec |
| 54 | |
| 55 | @item -h |
| 56 | @itemx --no-dereference |
| 57 | @@ -11051,6 +11065,7 @@ Recursively change ownership of directories and their contents. |
| 58 | @xref{Traversing symlinks}. |
| 59 | |
| 60 | @choptL |
| 61 | +@warnOptDerefWithRec |
| 62 | @xref{Traversing symlinks}. |
| 63 | |
| 64 | @choptP |
| 65 | @@ -11125,6 +11140,7 @@ changed. |
| 66 | @findex lchown |
| 67 | Do not act on symbolic links themselves but rather on what they point to. |
| 68 | This is the default when not operating recursively. |
| 69 | +@warnOptDerefWithRec |
| 70 | |
| 71 | @item -h |
| 72 | @itemx --no-dereference |
| 73 | @@ -11180,6 +11196,7 @@ Recursively change the group ownership of directories and their contents. |
| 74 | @xref{Traversing symlinks}. |
| 75 | |
| 76 | @choptL |
| 77 | +@warnOptDerefWithRec |
| 78 | @xref{Traversing symlinks}. |
| 79 | |
| 80 | @choptP |
| 81 | -- |
| 82 | cgit v1.0-41-gc330 |
| 83 | |