Bug#841371: /usr/bin/install: should use fchown, fchmod

2017-01-02 Thread Moritz Muehlenhoff 
On Thu, Oct 20, 2016 at 10:30:46AM +1100, Paul Szabo wrote:
> Package: coreutils
> Version: 8.23-4
> Severity: important
> File: /usr/bin/install
> 
> 
> The install command is vulnerable to a race condition.
> 
> If used by root to create a file in a directory writable to users or
> groups other than root, then after install creates the file, the file
> just created could be replaced by a symlink: then lchown() would act on
> the symlink itself, and chmod() would act on the target of the symlink.
> 
> Seems it would be better for install to use fchown() and fchmod():
> safer, more robust, and maybe more efficient.
> 
> 
> Using strace shows that install does:
> 
> open("target", O_WRONLY|O_CREAT|O_EXCL|O_LARGEFILE, 0600) = 4
>  [write content with write(4,...)] ...
> fchmod(4, 0600) = 0
> close(4)= 0
> 
> lchown32("target", UID, GID)= 0
> chmod("target", MODE)   = 0
> 
> 
> The last two commands should be changed into fchown() and fchmod(),
> and moved to be prior to the close().
> 
> 
> Would it help it I submitted patches?

Please do.

Thanks,
Moritz

Bug#841371: /usr/bin/install: should use fchown, fchmod

2016-10-19 Thread Paul Szabo 
Package: coreutils
Version: 8.23-4
Severity: important
File: /usr/bin/install


The install command is vulnerable to a race condition.

If used by root to create a file in a directory writable to users or
groups other than root, then after install creates the file, the file
just created could be replaced by a symlink: then lchown() would act on
the symlink itself, and chmod() would act on the target of the symlink.

Seems it would be better for install to use fchown() and fchmod():
safer, more robust, and maybe more efficient.


Using strace shows that install does:

open("target", O_WRONLY|O_CREAT|O_EXCL|O_LARGEFILE, 0600) = 4
 [write content with write(4,...)] ...
fchmod(4, 0600) = 0
close(4)= 0

lchown32("target", UID, GID)= 0
chmod("target", MODE)   = 0


The last two commands should be changed into fchown() and fchmod(),
and moved to be prior to the close().


Would it help it I submitted patches?

Thanks, Paul

Paul Szabo   p...@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of SydneyAustralia


-- System Information:
Debian Release: 8.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (x86_64)

Kernel: Linux 3.16.7-ckt20-pk07.18-amd64 (SMP w/32 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages coreutils depends on:
ii  libacl1  2.2.52-2
ii  libattr1 1:2.4.47-2
ii  libc62.19-18+deb8u6
ii  libselinux1  2.3-2

coreutils recommends no packages.

coreutils suggests no packages.

-- no debconf information