From 0aa9b0a92cb61af76b75b57abfd6ea1a7c627367 Mon Sep 17 00:00:00 2001
From: Michael Orlitzky <michael@orlitzky.com>
Date: Thu, 28 Dec 2017 15:52:42 -0500
Subject: [PATCH 1/2] doc: clarify chown/chgrp --dereference defaults
* doc/coreutils.texi: the documentation for the --dereference
flag of chown/chgrp states that it is the default mode of
operation. Document that this is only the case when operating
non-recursively.
Upstream-commit: 7597cfa482e42a00a69fb9577ee523762980a9a2
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
doc/coreutils.texi | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/coreutils.texi b/doc/coreutils.texi
index de1f2eb..de06c0f 100644
--- a/doc/coreutils.texi
+++ b/doc/coreutils.texi
@@ -10989,7 +10989,7 @@ chown -h -R --from=OLDUSER NEWUSER /
@cindex symbolic links, changing owner
@findex lchown
Do not act on symbolic links themselves but rather on what they point to.
-This is the default.
+This is the default when not operating recursively.
@item -h
@itemx --no-dereference
@@ -11119,7 +11119,7 @@ changed.
@cindex symbolic links, changing owner
@findex lchown
Do not act on symbolic links themselves but rather on what they point to.
-This is the default.
+This is the default when not operating recursively.
@item -h
@itemx --no-dereference
--
2.13.6
From 3fb331864c718e065804049001b573ff94810772 Mon Sep 17 00:00:00 2001
From: Michael Orlitzky <michael@orlitzky.com>
Date: Thu, 4 Jan 2018 11:38:21 -0500
Subject: [PATCH 2/2] doc: warn about following symlinks recursively in
chown/chgrp
In both chown and chgrp (which shares its code with chown), operating
on symlinks recursively has a window of vulnerability where the
destination user or group can change the target of the operation.
Warn about combining the --dereference, --recursive, and -L flags.
* doc/coreutils.texi (warnOptDerefWithRec): Add macro.
(node chown invocation): Add it to --dereference and -L.
(node chgrp invocation): Likewise.
See also: CVE-2017-18018
Upstream-commit: bc2fd9796403e03bb757b064d44c22fab92e6842
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
doc/coreutils.texi | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/doc/coreutils.texi b/doc/coreutils.texi
index de06c0f..24cc85b 100644
--- a/doc/coreutils.texi
+++ b/doc/coreutils.texi
@@ -1428,6 +1428,19 @@ a command line argument is a symbolic link to a directory, traverse it.
In a recursive traversal, traverse every symbolic link to a directory
that is encountered.
@end macro
+
+@c Append the following warning to -L where appropriate (e.g. chown).
+@macro warnOptDerefWithRec
+
+Combining this dereferencing option with the @option{--recursive} option
+may create a security risk:
+During the traversal of the directory tree, an attacker may be able to
+introduce a symlink to an arbitrary target; when the tool reaches that,
+the operation will be performed on the target of that symlink,
+possibly allowing the attacker to escalate privileges.
+
+@end macro
+
@choptL
@macro choptP
@@ -10990,6 +11003,7 @@ chown -h -R --from=OLDUSER NEWUSER /
@findex lchown
Do not act on symbolic links themselves but rather on what they point to.
This is the default when not operating recursively.
+@warnOptDerefWithRec
@item -h
@itemx --no-dereference
@@ -11046,6 +11060,7 @@ Recursively change ownership of directories and their contents.
@xref{Traversing symlinks}.
@choptL
+@warnOptDerefWithRec
@xref{Traversing symlinks}.
@choptP
@@ -11120,6 +11135,7 @@ changed.
@findex lchown
Do not act on symbolic links themselves but rather on what they point to.
This is the default when not operating recursively.
+@warnOptDerefWithRec
@item -h
@itemx --no-dereference
@@ -11175,6 +11191,7 @@ Recursively change the group ownership of directories and their contents.
@xref{Traversing symlinks}.
@choptL
+@warnOptDerefWithRec
@xref{Traversing symlinks}.
@choptP
--
2.13.6