-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chmod -R #59
Comments
@boneskull I wonder if we could use the |
Just updating this thread based on the past two WG calls; I'm willing to get involved here to try and tackle the work - outside of my existing day-to-day responsibilities. Follow-up Actions
|
@boneskull might make sense to remove this from the agenda until there's been some work/update to give. |
@bcoe It's worth noting that This is less of a concern for a userland module, since we can just say "this isn't secure for X purposes", but it becomes a bigger hazard in node core, especially since mode/ownership are such important security features. Rimraf and mkdirp are less of a concern as well, since the damage that a TOCTOU attack causes is more apparent. (And, in rimraf's case at least, there isn't a TOCTOU opening, because there is a way to say "only remove this thing if it is/isn't an actual directory".) A mkdirp exploit can create some garbage, and a rimraf exploit can trick you into deleting |
Also worth noting that the TOCTOU issue exists in |
(an explanation of TOCTOU: https://deadliestwebattacks.com/2012/12/26/toctou-twins/) |
@isaacs to my understanding, if we used the following pseudocode to keep the same FD rather than string would this be solved?
It seems like the file on represented by |
Quick update: @bcoe & I paired a bit (he drove & got the initial work together here: https://github.com/bcoe/node-1/tree/chmodr) - I'll be picking up where we left off... Action Items
|
|
Here's a Node.js script that uses the built-in module But please note the concerns raised by @isaacs about the vulnerability to TOCTOU attacks. You can use the same kind of approach to walk the FS tree and do things. The approach is the same in C (because the built-ins are the same). All these suffer from TOCTOU vulnerability, but like @isaacs said, some built-ins can be leveraged to get root, while others are just annoying.
|
(Sorry for the many years late reply) Using fstat in this way would be much worse actually, because O_SYMLINK is not in the posix standard and is only supported on BSD systems, afaik. So any Linux machine would have no way to not follow all symlinks. So if someone swapped the child dir for a symlink to /etc between the But yes, on macOS and other BSDs, this would be a solution. You could open the child entries with O_SYMLINK, fstat would report that it's a symlink, and you'd know not to recurse. |
This came out of a slack discussion, but adding a recursive mode to
fs.chmod
(a la chmodr would be super.cc @isaacs @coreyfarrell
The text was updated successfully, but these errors were encountered: