Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: unix5179.htm

GNU fileutils recursive directory removal race condition



12th Mar 2002 [SBWID-5179]
COMMAND

	GNU fileutils recursive directory removal race condition

SYSTEMS AFFECTED

	GNU fileutils 4.1 stable and 4.1.6 development version

PROBLEM

	Wojciech Purczynski found following :
	

	Race condition in various  utilities  from  fileutils  GNU  package  may
	cause root user to delete the whole filesystem.
	

	 Description

	 ===========

	

	The GNU File Utilities are the basic file-manipulation utilities of  the
	GNU operating system.
	

	

	 Details

	 =======

	

	An insecure chdir(\"..\") syscall is done after removing  content  of  a
	subdirectory in  order  to  get  back  to  the  upper  directory  during
	recursive removal of directory tree.
	

	Example of \'rm -fr /tmp/a\' removing \'/tmp/a/b/c\' directory tree:
	

	(strace output simplified for better readability)
	

	

	chdir(\"/tmp/a\")                         = 0

	chdir(\"b\")                              = 0

	chdir(\"c\")                              = 0

	chdir(\"..\")                             = 0

	rmdir(\"c\")                              = 0

	chdir(\"..\")                             = 0

	rmdir(\"b\")                              = 0

	fchdir(3)                               = 0

	rmdir(\"/tmp/a\")                         = 0

	

	

	After current directory  is  changed  to  /tmp/a/b/c  a  race  condition
	occurs.  If  we  then  move  /tmp/a/b/c  directory  to  the  /tmp/c  two
	subsequent chdir(\"..\") syscalls will move to the root directory /  and
	rm will start removing files from the  whole  file  systems  if  it  has
	enough privileges (i.e. if called by root user).
	

	Timeframe of this race condition depends on  how  complicated  directory
	structure is.
	

	The same issue affects also  mv  utility  when  source  and  destination
	directory lie on  different  filesystems  and  they  are  removed  after
	creating copy on destination.
	

	

	 Impact

	 ======

	

	Unprivileged users may  launch  daemon  program  that  will  detect  the
	removal operation of user\'s  directories  and  exploit  race  condition
	leading to Denial of Service.
	

	

SOLUTION

	Apply patch available at :
	

	http://mail.gnu.org/pipermail/bug-fileutils/2002-March/002440.html

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH