security bug in busybox chown -R

Natanael Copa natanael.copa at gmail.com
Fri Aug 18 16:11:08 UTC 2006


On Sat, 2006-08-19 at 03:49 +1200, Glenn L McGrath wrote:
> On Fri, 18 Aug 2006 16:32:35 +0200
> Natanael Copa <natanael.copa at gmail.com> wrote:
> 
> > On Fri, 2006-08-18 at 15:58 +0200, Natanael Copa wrote:
> > > I have discovered a bug in the chown applet.
> > >
> > > The chown -R follows links.
> >
> > Actually, its not the -R option that follow links. Its chown(2)
> > itself.
> >
> > To fix, replace chown(2) with lchown(2). The attached patch does this.
> >
> > FYI. Gnu chown has a --dereference option to follow links.
> > >From the gnu chown(1) man page:
> >
> >        --dereference
> >               Change the ownership of the target of a symbolic link
> > instead of the symbolic link itself.  (New in fileutils-4.0.)
> >
> > FreeBSD and OpenBSD chown(8) has:
> >
> >      -L      If the -R option is specified, all symbolic links are
> > followed.
> 
> In the SuSv3 spec there is a -h option which changes the id of the
> symlink rather than the target, which implies the default should be to
> change the target.

Checking... yes, thats how both GNU Linux and FreeBSD does.

> But then when doing recursive chowns, it has 3 different options to
> specify its behaviour and states, "Unless a -H, -L, or -P option is
> specified, it is unspecified which of these options will be used as the
> default."
> 
> -H and -L refer to symlinks that point to directories.
> 
> -P says it should change the symlink rather than the target, so its
> a -h for symlinks within your specified directory.
> 
> So in your example, maybe the admin should have done "chown -P
> ncopa /home/ncopa" as -R has an unspecified functionality, but i guess
> its a judgement call on what busybox should do by default with -R.

GNU Linux does sets the link itself and not the target by default and so
does FreeBSD too.

FreeBSD man page:

     -P      If the -R option is specified, no symbolic links are followed.
             This is the default.

I have tested and confirm that is how it works.

Will continue on monday.

Have a nice weekend ppl.

--
Natanael Copa




More information about the busybox mailing list