From 0aa9b0a92cb61af76b75b57abfd6ea1a7c627367 Mon Sep 17 00:00:00 2001

From: Michael Orlitzky <michael@orlitzky.com>

Date: Thu, 28 Dec 2017 15:52:42 -0500

Subject: [PATCH 1/2] doc: clarify chown/chgrp --dereference defaults

* doc/coreutils.texi: the documentation for the --dereference

  flag of chown/chgrp states that it is the default mode of

  operation. Document that this is only the case when operating

  non-recursively.

Upstream-commit: 7597cfa482e42a00a69fb9577ee523762980a9a2

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 doc/coreutils.texi | 4 ++--

 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/coreutils.texi b/doc/coreutils.texi

index de1f2eb..de06c0f 100644

--- a/doc/coreutils.texi

+++ b/doc/coreutils.texi

@@ -10989,7 +10989,7 @@ chown -h -R --from=OLDUSER NEWUSER /

 @cindex symbolic links, changing owner

 @findex lchown

 Do not act on symbolic links themselves but rather on what they point to.

-This is the default.

+This is the default when not operating recursively.

 @item -h

 @itemx --no-dereference

@@ -11119,7 +11119,7 @@ changed.

 @cindex symbolic links, changing owner

 @findex lchown

 Do not act on symbolic links themselves but rather on what they point to.

-This is the default.

+This is the default when not operating recursively.

 @item -h

 @itemx --no-dereference

-- 

2.13.6

From 3fb331864c718e065804049001b573ff94810772 Mon Sep 17 00:00:00 2001

From: Michael Orlitzky <michael@orlitzky.com>

Date: Thu, 4 Jan 2018 11:38:21 -0500

Subject: [PATCH 2/2] doc: warn about following symlinks recursively in

 chown/chgrp

In both chown and chgrp (which shares its code with chown), operating

on symlinks recursively has a window of vulnerability where the

destination user or group can change the target of the operation.

Warn about combining the --dereference, --recursive, and -L flags.

* doc/coreutils.texi (warnOptDerefWithRec): Add macro.

(node chown invocation): Add it to --dereference and -L.

(node chgrp invocation): Likewise.

See also: CVE-2017-18018

Upstream-commit: bc2fd9796403e03bb757b064d44c22fab92e6842

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 doc/coreutils.texi | 17 +++++++++++++++++

 1 file changed, 17 insertions(+)

diff --git a/doc/coreutils.texi b/doc/coreutils.texi

index de06c0f..24cc85b 100644

--- a/doc/coreutils.texi

+++ b/doc/coreutils.texi

@@ -1428,6 +1428,19 @@ a command line argument is a symbolic link to a directory, traverse it.

 In a recursive traversal, traverse every symbolic link to a directory

 that is encountered.

 @end macro

+

+@c Append the following warning to -L where appropriate (e.g. chown).

+@macro warnOptDerefWithRec

+

+Combining this dereferencing option with the @option{--recursive} option

+may create a security risk:

+During the traversal of the directory tree, an attacker may be able to

+introduce a symlink to an arbitrary target; when the tool reaches that,

+the operation will be performed on the target of that symlink,

+possibly allowing the attacker to escalate privileges.

+

+@end macro

+

 @choptL

 @macro choptP

@@ -10990,6 +11003,7 @@ chown -h -R --from=OLDUSER NEWUSER /

 @findex lchown

 Do not act on symbolic links themselves but rather on what they point to.

 This is the default when not operating recursively.

+@warnOptDerefWithRec

 @item -h

 @itemx --no-dereference

@@ -11046,6 +11060,7 @@ Recursively change ownership of directories and their contents.

 @xref{Traversing symlinks}.

 @choptL

+@warnOptDerefWithRec

 @xref{Traversing symlinks}.

 @choptP

@@ -11120,6 +11135,7 @@ changed.

 @findex lchown

 Do not act on symbolic links themselves but rather on what they point to.

 This is the default when not operating recursively.

+@warnOptDerefWithRec

 @item -h

 @itemx --no-dereference

@@ -11175,6 +11191,7 @@ Recursively change the group ownership of directories and their contents.

 @xref{Traversing symlinks}.

 @choptL

+@warnOptDerefWithRec

 @xref{Traversing symlinks}.

 @choptP

-- 

2.13.6