For this to be an attack requires that it be exploitable. Updating a different file is not exploitable unless it was a file that the user should not have had access to. As such, the race with chmod likely only applies to replacement by a symlink. While replacement with a normal file might lead to unexpected behaviors (especially because we're also sharing the path name given in `bind` and will much later call `connect` to it), that is likely not exploitable. Since the rogue program already demonstrated having permissions to modify the file mask (by deleting the file), tricking libuv instead into modifying that mask would not be a security escalation. Using `lchmod` solves that problem, by ensuring that libuv would only be able to change the permissions of a file that the attack program also already had permissions to alter.
On Wed, Nov 7, 2018 at 11:08 AM Jan Staněk <[email protected]> wrote: > Hi Jameson, > > On 07. 11. 18 16:03, Jameson Nash wrote: > > After researching the literature (aka Google) on this, I've learned that > > the TOCTOU on `chmod` apparently does not to extend to `lchmod`. In > > particular, while it is not (possibly never?) safe to call `chmod`, it > > is always safe to use `lchmod`. > > This vulnerability does not lie in the `chmod` itself, but rather in the > `stat`/`chmod` sequence. Basically, if an attacker manages to replace > the file `/path` between these calls (i.e. with symlink, where the > `lchmod` could help, but not limited to it), the code will end up > copying unintended permissions from the old file to the new one. > Granted, it is not great attack surface, but it is exploitable. > > Disclaimer: I'm far from security expert, so anyone is welcome in > correcting the above paragraph, should it be wrong ;) > -- > Jan Staněk > Associate Software Engineer, Core Services > Red Hat Czech > [email protected] IM: jstanek > > -- > You received this message because you are subscribed to the Google Groups > "libuv" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/libuv. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "libuv" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/libuv. For more options, visit https://groups.google.com/d/optout.
