On 12/20/2017 07:19 PM, Bernhard Voelker wrote: >> >> But what to do about it? I'm not sure... would doing the traversal >> depth-first with respect to realpath help? > > Doesn't the same problem exist in the other direction as well? > I mean if you change the ownership of a directory hierarchy from > user A to user B, then both A and B could try to place malicious > symlinks during the processing. That means depth-first minimizes > the problem regarding the receiving user B but may widen the race > window for user A.
Yes, but as you mention below, the --from option can be used to prevent a non-root "source user" from being naughty. > The safest way is to add the --from option in order to ensure (with > the most tiny race window) that still user A is the owner: > > $ sudo chown -v --from=A B file > ownership of 'file' retained as A Indeed, but that only limits what the "source user" can do. This particular race condition is a "destination user" attack. For example, --from=root isn't going to prevent me from stealing /etc/passwd with a symlink to it.
