Dear Salvatore,

> ... if the attacher created a symlink between the rm and the mkdir
> then mkdir will still fail with -p on a symlink.  (Or do I miss
> something?). ...

Yes, you missed a simple test:

$ mkdir mydir
$ ln -s mydir mylink
$ ls -ld my*
drwx------ 2 psz amstaff 4096 Oct 14 18:46 mydir
lrwxrwxrwx 1 psz amstaff    5 Oct 14 18:46 mylink -> mydir
$ mkdir -p mylink || echo failed
$ mkdir -p mylink; echo $?
$ mkdir mylink || echo failed
mkdir: cannot create directory `mylink': File exists
$ mkdir mylink; echo $?
mkdir: cannot create directory `mylink': File exists
$ ls -ld my*
drwx------ 2 psz amstaff 4096 Oct 14 18:46 mydir
lrwxrwxrwx 1 psz amstaff    5 Oct 14 18:46 mylink -> mydir

showing that "mkdir -p" does not fail (but plain mkdir does).

> On the practicality for Debian systems though this is mitigated by the
> Kernel hardenings which are enabled by default:
> fs.protected_hardlinks=1
> fs.protected_symlink=1
> which will prevent that the target of the symlink in /tmp will be
> changed on the chown call.

Another missing test (besides: who is changing anything?):

# grep . /proc/sys/fs/prot*
# cd ~psz
# ls -ld my*
drwx------ 2 psz amstaff 4096 Oct 14 18:46 mydir
lrwxrwxrwx 1 psz amstaff    5 Oct 14 18:46 mylink -> mydir
# chown mike mylink
# ls -ld my*
drwx------ 2 mike amstaff 4096 Oct 14 18:46 mydir
lrwxrwxrwx 1 psz  amstaff    5 Oct 14 18:46 mylink -> mydir

> So while I think it should be fixed, this would not warrant a DSA,
> since mitigated by default in Debian.

No mitigation: fix and DSA, please!


What response time should I have expected of team@security? You had
close to a whole day... compared to that, Markus replied within the
hour to the Debian bug. (But he did not yet reply to my next, private
bug/message... seems public messaging works best!)

Cheers, Paul

Paul Szabo
School of Mathematics and Statistics   University of Sydney    Australia

Reply via email to