security bug in busybox chown -R

Natanael Copa natanael.copa at gmail.com
Mon Aug 21 17:58:37 UTC 2006


On Fri, 2006-08-18 at 18:11 +0200, Natanael Copa wrote:
> On Sat, 2006-08-19 at 03:49 +1200, Glenn L McGrath wrote:
> > On Fri, 18 Aug 2006 16:32:35 +0200
> > Natanael Copa <natanael.copa at gmail.com> wrote:
> >
> > > On Fri, 2006-08-18 at 15:58 +0200, Natanael Copa wrote:
> > > > I have discovered a bug in the chown applet.
> > > >
> > > > The chown -R follows links.
> > >
> > > Actually, its not the -R option that follow links. Its chown(2)
> > > itself.
> > >
> > > To fix, replace chown(2) with lchown(2). The attached patch does this.
> > >
> > > FYI. Gnu chown has a --dereference option to follow links.
> > > >From the gnu chown(1) man page:
> > >
> > >        --dereference
> > >               Change the ownership of the target of a symbolic link
> > > instead of the symbolic link itself.  (New in fileutils-4.0.)
> > >
> > > FreeBSD and OpenBSD chown(8) has:
> > >
> > >      -L      If the -R option is specified, all symbolic links are
> > > followed.
> >
> > In the SuSv3 spec there is a -h option which changes the id of the
> > symlink rather than the target, which implies the default should be to
> > change the target.
> 
> Checking... yes, thats how both GNU Linux and FreeBSD does.
> 
> > But then when doing recursive chowns, it has 3 different options to
> > specify its behaviour and states, "Unless a -H, -L, or -P option is
> > specified, it is unspecified which of these options will be used as the
> > default."
> >
> > -H and -L refer to symlinks that point to directories.
> >
> > -P says it should change the symlink rather than the target, so its
> > a -h for symlinks within your specified directory.
> >
> > So in your example, maybe the admin should have done "chown -P
> > ncopa /home/ncopa" as -R has an unspecified functionality, but i guess
> > its a judgement call on what busybox should do by default with -R.
> 
> GNU Linux does sets the link itself and not the target by default and so
> does FreeBSD too.
> 
> FreeBSD man page:
> 
>      -P      If the -R option is specified, no symbolic links are followed.
>              This is the default.
> 
> I have tested and confirm that is how it works.
> 
> Will continue on monday.

After thinking over it during the weekend, I have come to that the
current implementation is probably the best way to do it. It is the
smallest at least. It does give you a surprise if you are used to the
GNU and BSD chown, but no matter how you solve it otherwise will make it
bigger.

If interested, I can provide a patch which will make busybox behave the
same. If -R is specified then don't follow any link unless -L (or -H?)
is specified too. A few bytes bigger yes, but more expected behaviour. 

I suspect there is not much interest for it.

--
Natanael Copa




More information about the busybox mailing list