TUCoPS :: Unix :: General
:: unix5179.htm
GNU fileutils recursive directory removal race condition
12th Mar 2002 [SBWID-5179]
COMMAND
GNU fileutils recursive directory removal race condition
SYSTEMS AFFECTED
GNU fileutils 4.1 stable and 4.1.6 development version
PROBLEM
Wojciech Purczynski found following :
Race condition in various utilities from fileutils GNU package may
cause root user to delete the whole filesystem.
Description
===========
The GNU File Utilities are the basic file-manipulation utilities of the
GNU operating system.
Details
=======
An insecure chdir(\"..\") syscall is done after removing content of a
subdirectory in order to get back to the upper directory during
recursive removal of directory tree.
Example of \'rm -fr /tmp/a\' removing \'/tmp/a/b/c\' directory tree:
(strace output simplified for better readability)
chdir(\"/tmp/a\") = 0
chdir(\"b\") = 0
chdir(\"c\") = 0
chdir(\"..\") = 0
rmdir(\"c\") = 0
chdir(\"..\") = 0
rmdir(\"b\") = 0
fchdir(3) = 0
rmdir(\"/tmp/a\") = 0
After current directory is changed to /tmp/a/b/c a race condition
occurs. If we then move /tmp/a/b/c directory to the /tmp/c two
subsequent chdir(\"..\") syscalls will move to the root directory / and
rm will start removing files from the whole file systems if it has
enough privileges (i.e. if called by root user).
Timeframe of this race condition depends on how complicated directory
structure is.
The same issue affects also mv utility when source and destination
directory lie on different filesystems and they are removed after
creating copy on destination.
Impact
======
Unprivileged users may launch daemon program that will detect the
removal operation of user\'s directories and exploit race condition
leading to Denial of Service.
SOLUTION
Apply patch available at :
http://mail.gnu.org/pipermail/bug-fileutils/2002-March/002440.html