fix(install): prevent symlink race condition in install -D (fixes #10013) #10140
+488
−25
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
GNU testsuite comparison: |
abendrothj
force-pushed
the
fix/install-symlink-race-condition-10013
branch
from
fc7eade to
0b91865
Compare
|
GNU testsuite comparison: |
CodSpeed Performance ReportMerging this PR will degrade performance by 15.63%Comparing Summary
Performance Changes
Footnotes
|
Contributor
Author
|
The 3.46% performance regression is an acceptable trade-off for fixing the symlink race condition vulnerability. The safe directory traversal using file descriptors adds unavoidable overhead, but prevents potential security exploits. |
|
GNU testsuite comparison: |
Contributor
|
sorry but could you please rebase it ? thanks |
Contributor
agreed |
abendrothj
force-pushed
the
fix/install-symlink-race-condition-10013
branch
2 times, most recently
from
fe7aec2 to
4fb0779
Compare
Contributor
|
some conflicts, sorry |
…ils#10013) This commit fixes a TOCTOU (Time-of-Check-Time-of-Use) race condition in the install -D command where an attacker could replace a directory component with a symlink between directory creation and file installation, redirecting writes to an arbitrary location. Changes: - Added mkdir_at() and open_file_at() methods to DirFd for safe operations - Added open_no_follow() to prevent following symlinks when opening directories - Added create_dir_all_safe() function that uses directory file descriptors - Modified install -D to use safe traversal functions instead of pathname-based ops - Added copy_file_safe() function for safe file copying using directory fds - Added tests to verify the fix prevents symlink race conditions The fix works by: 1. Using directory file descriptors (mkdirat/openat) instead of pathnames 2. Keeping directory fds open throughout the operation 3. Detecting and removing symlinks before directory creation 4. Anchoring all file operations to directory file descriptors This eliminates the race window by ensuring all critical operations use directory file descriptors that cannot be replaced by symlinks.
… and boolean simplifications
…x context setting to Linux platforms This commit updates the conditional compilation for SELinux context settings in the install module to only apply when the target OS is Linux. This change ensures that SELinux-related functionality is not erroneously included on non-Linux platforms, improving compatibility and preventing potential issues. Changes: - Modified `#[cfg(feature = "selinux")]` to `#[cfg(all(feature = "selinux", target_os = "linux"))]` in multiple locations to enforce the OS-specific behavior.
…s a file When -t is used with -D and the target exists as a file (not a directory), we should fail immediately without printing verbose directory creation messages. This matches GNU behavior and fixes the failing GNU test tests/install/basic-1.
abendrothj
force-pushed
the
fix/install-symlink-race-condition-10013
branch
from
4fb0779 to
f95bed7
Compare
Contributor
Author
|
There, that should resolve the conflicts :) |
|
GNU testsuite comparison: |
Contributor
Author
|
The sort regression is benchmark noise - this PR only touches |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixes a TOCTOU (Time-of-Check-Time-of-Use) race condition in the install -D command where an attacker could replace a directory component with a symlink between directory creation and file installation, redirecting writes to an arbitrary location.
Changes
mkdir_at()andopen_file_at()methods toDirFdfor safe operationsopen_no_follow()to prevent following symlinks when opening directoriescreate_dir_all_safe()function that uses directory file descriptorscopy_file_safe()function for safe file copying using directory fdsHow the Fix Works
The fix prevents the race condition by:
mkdirat/openat) instead of pathnamesThis eliminates the race window by ensuring all critical operations use directory file descriptors that cannot be replaced by symlinks.
Testing
Fixes #10013