-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Name: fileutils Version: 4.1 stable and 4.1.6 development version Author: Wojciech Purczynski <[EMAIL PROTECTED]> Date: March 7, 2002 Issue: - ------ Race condition in rm utility may cause root user to delete the whole filesystem. Description: - ------------ The GNU File Utilities are the basic file-manipulation utilities of the GNU operating system. rm utility is designed to remove files and directories from the file system. Details: - -------- An insecure chdir("..") operation is done after removing content of a subdirectory in order to get back to the upper directory during recursive removal of directory tree. Example of 'rm -fr /tmp/a' removing '/tmp/a/b/c' directory tree: (strace output simplified for better readability) chdir("/tmp/a") = 0 chdir("b") = 0 chdir("c") = 0 chdir("..") = 0 rmdir("c") = 0 chdir("..") = 0 rmdir("b") = 0 fchdir(3) = 0 rmdir("/tmp/a") = 0 After rm current directory is changed to /tmp/a/b/c a race condition occurs. If we then move /tmp/a/b/c directory to the /tmp/c two subsequent chdir("..") operations will move to the root directory / and rm will start removing files from the whole file systems if it has enough privileges (i.e. if called by root user). Other scenarios are possible depending on how we modify directory structure that is under removal. Timeframe of this race condition depends on how complicated directory structure is. Impact: - ------- Unprivileged user may launch an daemon program that will detect the removal operation of user's directories and exploit race condition leading to Denial of Service. Fix: - ---- Before going down into subdirectory, rm should store device and inode numbers of current directory. After chdir("..") operation the stored device and inode number should be verified against device and inode numbers of directory it has changed to. Wojciech Purczynski iSEC Security Research http://isec.pl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8h98jC+8U3Z5wpu4RAtgQAJ417awb4woSYyJJldFqL4WXKzn1SACcDPv8 f0IwtZGX2HQKAoT9RwYqZEk= =wDqS -----END PGP SIGNATURE----- _______________________________________________ Bug-fileutils mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/bug-fileutils