[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
rm - recursive directory removal race condition
From: |
Wojciech Purczynski |
Subject: |
rm - recursive directory removal race condition |
Date: |
Thu, 7 Mar 2002 22:43:35 +0100 (CET) |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Name: fileutils
Version: 4.1 stable and 4.1.6 development version
Author: Wojciech Purczynski <address@hidden>
Date: March 7, 2002
Issue:
- ------
Race condition in rm utility may cause root user to delete the whole
filesystem.
Description:
- ------------
The GNU File Utilities are the basic file-manipulation utilities of the
GNU operating system. rm utility is designed to remove files and
directories from the file system.
Details:
- --------
An insecure chdir("..") operation is done after removing content of a
subdirectory in order to get back to the upper directory during recursive
removal of directory tree.
Example of 'rm -fr /tmp/a' removing '/tmp/a/b/c' directory tree:
(strace output simplified for better readability)
chdir("/tmp/a") = 0
chdir("b") = 0
chdir("c") = 0
chdir("..") = 0
rmdir("c") = 0
chdir("..") = 0
rmdir("b") = 0
fchdir(3) = 0
rmdir("/tmp/a") = 0
After rm current directory is changed to /tmp/a/b/c a race condition
occurs. If we then move /tmp/a/b/c directory to the /tmp/c two subsequent
chdir("..") operations will move to the root directory / and rm will start
removing files from the whole file systems if it has enough privileges
(i.e. if called by root user). Other scenarios are possible depending on
how we modify directory structure that is under removal.
Timeframe of this race condition depends on how complicated directory
structure is.
Impact:
- -------
Unprivileged user may launch an daemon program that will detect the
removal operation of user's directories and exploit race condition leading
to Denial of Service.
Fix:
- ----
Before going down into subdirectory, rm should store device and inode
numbers of current directory. After chdir("..") operation the stored
device and inode number should be verified against device and inode
numbers of directory it has changed to.
Wojciech Purczynski
iSEC Security Research
http://isec.pl/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8h98jC+8U3Z5wpu4RAtgQAJ417awb4woSYyJJldFqL4WXKzn1SACcDPv8
f0IwtZGX2HQKAoT9RwYqZEk=
=wDqS
-----END PGP SIGNATURE-----
- rm - recursive directory removal race condition,
Wojciech Purczynski <=