os: RemoveAll susceptible to symlink race #52745
Comments
rolandshoemaker
added
OS-Windows
NeedsFix
|
Change https://go.dev/cl/588495 mentions this issue: |
Since all the platforms now support O_DIRECTORY flag for open, it can be used to (together with O_NOFOLLOW) to ensure we open a directory, thus eliminating the need to call stat before open. This fixes the symlink race, when a directory is replaced by a symlink in between stat and open calls. While at it, rename openFdAt to openDirAt, because this function is (and was) meant for directories only. NOTE Solaris supports O_DIRECTORY since before Solaris 11 (which is the only version Go supports since supported version now), and Illumos always had it. The only missing piece was O_DIRECTORY flag value, which is taken from golang.org/x/sys/unix. Updates #52745. Change-Id: Ic1111d688eebc8804a87d39d3261c2a6eb33f176 Reviewed-on: https://go-review.googlesource.com/c/go/+/588495 Reviewed-by: Ian Lance Taylor <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Aleksa Sarai <[email protected]> Reviewed-by: Than McIntosh <[email protected]> Auto-Submit: Ian Lance Taylor <[email protected]>
|
@gopherbot please open backport issues for this, it's a security hardening issue which fixes a long running TOCTOU race. |
|
Backport issue(s) opened: #67695 (for 1.21), #67696 (for 1.22). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
|
The Unix-likes (everything wtih |
|
Change https://go.dev/cl/629698 mentions this issue: |
|
Change https://go.dev/cl/630337 mentions this issue: |
Both the
at(systems that implementopenat,unlinkatetc) and thenoatimplementations ofos.RemoveAllare susceptible to a TOCTOU symlink race, where a directory can be replaced with a symlink between being stat'd and open'd. This can be used to 'trick' the program into deleting things it does not expect to delete. This is a minor security issue, but has relatively limited impact because it requires a multi-user system where an attacker is able to create symlinks, a program which will callos.RemoveAllon an attacker writable tree.This is due to
O_NOFOLLOWnot being passed toopenat/openon Unix systems, andFILE_FLAG_OPEN_REPARSE_POINTnot being passed toCreateFileWon Windows. On Unix systems the fix is extremely simple, but on Windows it requires some changes to the Windows syscalls, since the flags passed toCreateFileWare fixed and cannot be altered by the caller currently.The text was updated successfully, but these errors were encountered: