security: install 5.93/5.97 ignores --mode on existing dirs if no leading 4th byte

Tue, 01 May 2007 17:24:15 -0700 

Expected behaviour with install 5.2.1:
magic:~# mkdir /tmp/conf
magic:~# chmod 1234 /tmp/conf
magic:~# ls -ld /tmp/conf
d-w--wxr-T  2 root root 4096 2007-05-01 11:00 /tmp/conf
magic:~# install -d -o root -g root  -m 0777 /tmp/conf
magic:~# ls -ld /tmp/conf
drwxrwxrwx  2 root root 4096 2007-05-01 11:00 /tmp/conf
magic:~# install -d -o root -g root  -m 751 /tmp/conf
magic:~# ls -ld /tmp/conf
drwxr-x--x  2 root root 4096 2007-05-01 11:00 /tmp/conf

Incorrect/Insecure behaviour with install 5.93 or 5.97:
[EMAIL PROTECTED]:~# chmod 1234 /tmp/conf
[EMAIL PROTECTED]:~# l -d /tmp/conf
d-w--wxr-T 2 nobody nobody 4096 May  1 10:38 /tmp/conf/
[EMAIL PROTECTED]:~# install -d -o nobody -g nobody -m 777 /tmp/conf
[EMAIL PROTECTED]:~# l -d /tmp/conf
d-w--wxr-T 2 nobody nobody 4096 May  1 10:38 /tmp/conf/
[EMAIL PROTECTED]:~# install -d -o nobody -g nobody -m 2777 /tmp/conf
[EMAIL PROTECTED]:~# l -d /tmp/conf
drwxrwsrwx 2 nobody nobody 4096 May  1 10:38 /tmp/conf/
[EMAIL PROTECTED]:~# install -d -o nobody -g nobody -m 2555 /tmp/conf
[EMAIL PROTECTED]:~# l -d /tmp/conf
dr-xr-sr-x 2 nobody nobody 4096 May  1 10:38 /tmp/conf/
[EMAIL PROTECTED]:~# install -d -o nobody -g nobody -m 0755 /tmp/conf
[EMAIL PROTECTED]:~# l -d /tmp/conf
dr-xr-sr-x 2 nobody nobody 4096 May  1 10:38 /tmp/conf/
[EMAIL PROTECTED]:~# install -d -o nobody -g nobody -m 1755 /tmp/conf
[EMAIL PROTECTED]:~# l -d /tmp/conf
drwxr-xr-t 2 nobody nobody 4096 May  1 10:38 /tmp/conf/

As you can see, the newer install refuses to reset permissions unless
there is some leading byte.

I haven't spent the time scanning open source software that uses install on
critical directories (spool, cron, etc...), but I'm sure one could find a
place where install not properly narrowing perms could lead to some local
exploit.

Anyway, whether that's the case or not, I hope you can get install fixed to
work like earlier versions, and as expected by scripts.

Thanks
Marc
-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/  


_______________________________________________
Bug-coreutils mailing list
Bug-coreutils@gnu.org
http://lists.gnu.org/mailman/listinfo/bug-coreutils

Reply via email to