Dear Salvatore, > ... if the attacher created a symlink between the rm and the mkdir > then mkdir will still fail with -p on a symlink. (Or do I miss > something?). ...
Yes, you missed a simple test: $ mkdir mydir $ ln -s mydir mylink $ ls -ld my* drwx------ 2 psz amstaff 4096 Oct 14 18:46 mydir lrwxrwxrwx 1 psz amstaff 5 Oct 14 18:46 mylink -> mydir $ mkdir -p mylink || echo failed $ mkdir -p mylink; echo $? 0 $ mkdir mylink || echo failed mkdir: cannot create directory `mylink': File exists failed $ mkdir mylink; echo $? mkdir: cannot create directory `mylink': File exists 1 $ ls -ld my* drwx------ 2 psz amstaff 4096 Oct 14 18:46 mydir lrwxrwxrwx 1 psz amstaff 5 Oct 14 18:46 mylink -> mydir $ showing that "mkdir -p" does not fail (but plain mkdir does). > On the practicality for Debian systems though this is mitigated by the > Kernel hardenings which are enabled by default: > > fs.protected_hardlinks=1 > fs.protected_symlink=1 > > which will prevent that the target of the symlink in /tmp will be > changed on the chown call. Another missing test (besides: who is changing anything?): # grep . /proc/sys/fs/prot* /proc/sys/fs/protected_hardlinks:1 /proc/sys/fs/protected_symlinks:1 # cd ~psz # ls -ld my* drwx------ 2 psz amstaff 4096 Oct 14 18:46 mydir lrwxrwxrwx 1 psz amstaff 5 Oct 14 18:46 mylink -> mydir # chown mike mylink # ls -ld my* drwx------ 2 mike amstaff 4096 Oct 14 18:46 mydir lrwxrwxrwx 1 psz amstaff 5 Oct 14 18:46 mylink -> mydir # > So while I think it should be fixed, this would not warrant a DSA, > since mitigated by default in Debian. No mitigation: fix and DSA, please! --- What response time should I have expected of team@security? You had close to a whole day... compared to that, Markus replied within the hour to the Debian bug. (But he did not yet reply to my next, private bug/message... seems public messaging works best!) Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia
