From 0aa9b0a92cb61af76b75b57abfd6ea1a7c627367 Mon Sep 17 00:00:00 2001 From: Michael Orlitzky Date: Thu, 28 Dec 2017 15:52:42 -0500 Subject: [PATCH 1/2] doc: clarify chown/chgrp --dereference defaults * doc/coreutils.texi: the documentation for the --dereference flag of chown/chgrp states that it is the default mode of operation. Document that this is only the case when operating non-recursively. Upstream-commit: 7597cfa482e42a00a69fb9577ee523762980a9a2 Signed-off-by: Kamil Dudka --- doc/coreutils.texi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/coreutils.texi b/doc/coreutils.texi index de1f2eb..de06c0f 100644 --- a/doc/coreutils.texi +++ b/doc/coreutils.texi @@ -10989,7 +10989,7 @@ chown -h -R --from=OLDUSER NEWUSER / @cindex symbolic links, changing owner @findex lchown Do not act on symbolic links themselves but rather on what they point to. -This is the default. +This is the default when not operating recursively. @item -h @itemx --no-dereference @@ -11119,7 +11119,7 @@ changed. @cindex symbolic links, changing owner @findex lchown Do not act on symbolic links themselves but rather on what they point to. -This is the default. +This is the default when not operating recursively. @item -h @itemx --no-dereference -- 2.13.6 From 3fb331864c718e065804049001b573ff94810772 Mon Sep 17 00:00:00 2001 From: Michael Orlitzky Date: Thu, 4 Jan 2018 11:38:21 -0500 Subject: [PATCH 2/2] doc: warn about following symlinks recursively in chown/chgrp In both chown and chgrp (which shares its code with chown), operating on symlinks recursively has a window of vulnerability where the destination user or group can change the target of the operation. Warn about combining the --dereference, --recursive, and -L flags. * doc/coreutils.texi (warnOptDerefWithRec): Add macro. (node chown invocation): Add it to --dereference and -L. (node chgrp invocation): Likewise. See also: CVE-2017-18018 Upstream-commit: bc2fd9796403e03bb757b064d44c22fab92e6842 Signed-off-by: Kamil Dudka --- doc/coreutils.texi | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/doc/coreutils.texi b/doc/coreutils.texi index de06c0f..24cc85b 100644 --- a/doc/coreutils.texi +++ b/doc/coreutils.texi @@ -1428,6 +1428,19 @@ a command line argument is a symbolic link to a directory, traverse it. In a recursive traversal, traverse every symbolic link to a directory that is encountered. @end macro + +@c Append the following warning to -L where appropriate (e.g. chown). +@macro warnOptDerefWithRec + +Combining this dereferencing option with the @option{--recursive} option +may create a security risk: +During the traversal of the directory tree, an attacker may be able to +introduce a symlink to an arbitrary target; when the tool reaches that, +the operation will be performed on the target of that symlink, +possibly allowing the attacker to escalate privileges. + +@end macro + @choptL @macro choptP @@ -10990,6 +11003,7 @@ chown -h -R --from=OLDUSER NEWUSER / @findex lchown Do not act on symbolic links themselves but rather on what they point to. This is the default when not operating recursively. +@warnOptDerefWithRec @item -h @itemx --no-dereference @@ -11046,6 +11060,7 @@ Recursively change ownership of directories and their contents. @xref{Traversing symlinks}. @choptL +@warnOptDerefWithRec @xref{Traversing symlinks}. @choptP @@ -11120,6 +11135,7 @@ changed. @findex lchown Do not act on symbolic links themselves but rather on what they point to. This is the default when not operating recursively. +@warnOptDerefWithRec @item -h @itemx --no-dereference @@ -11175,6 +11191,7 @@ Recursively change the group ownership of directories and their contents. @xref{Traversing symlinks}. @choptL +@warnOptDerefWithRec @xref{Traversing symlinks}. @choptP -- 2.13.6