MillaFleurs created an issue (rpm-software-management/rpm#4200)
**Describe the bug**
In fsm.cc line 478 we have this comment here:
```cpp
/* XXX TODO: actually check for the rc, but what to do there? */
```
This comment is around the fact that when rpm removes a file it strips the
setuid/setguid bit before erasing or replacing in order to prevent surviving
hardlinks from keeping priviledged mode bits.
I am providing a patch to fix this TODO / bug.
**To Reproduce**
I'm attaching a file poc.sh. Run poc.sh as root and you will create a hardlink
**Expected behavior**
The hardlink should be stripped of the setuid bit. Instead the hardlink keeps
the setuid bit. This can create a hidden bug. Hardlink keeps the same inode.
So what should happen is the hardlink should have the setuid removed but
instead it keeps it.
**Output**
>From my POC:
```bash
Before erase:
inode=52419 links=2 mode=4755 owner=root:root
path=/tmp/tmp.4SVYjU1Jhd/root/opt/rpm1/suidbin
inode=52419 links=2 mode=4755 owner=root:root
path=/tmp/tmp.4SVYjU1Jhd/root/tmp/suid_keepsake
rpm -e exit code: 0
After erase:
inode=52419 links=1 mode=4755 owner=root:root
path=/tmp/tmp.4SVYjU1Jhd/root/tmp/suid_keepsake
```
```/tmp/suid_keepsake``` remains setuid set.
**Environment**
- OS / Distribution: CentOS Stream release 10 (Coughlan)
- Version RPM version 4.19.1.1
**Additional context**
Bug found using the [N184 Bug and Vulnerability
Scanner](https://github.com/MillaFleurs/N184)
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/4200
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/[email protected]>_______________________________________________
Rpm-maint mailing list
[email protected]
https://lists.rpm.org/mailman/listinfo/rpm-maint
