[issue17180] shutil copy* unsafe on POSIX - they preserve setuid/setgit bits
Milko Krachounov
report at bugs.python.org
Mon Feb 11 10:10:56 CET 2013
New submission from Milko Krachounov:
When copying the mode of a file with copy, copy2, copymode, copystat or copytree, all permission bits are copied (including setuid and setgit), but the owner of the file is not. This can be used for privilege escalation.
An example:
-rwSr--r-- 1 milko milko 0 фев 11 10:53 test1
shutil.copy("test1", "test2")
-rwSr--r-- 1 root root 0 фев 11 10:53 test2
If test1 contained anything malicious, now the user milko can execute his malicious payload as root.
Potential fixes:
- Strip setuid/setgid bits.
- Copy the owner on POSIX.
- Perform a safety check on the owner.
- Document the security risk.
The behaviour of copymode/copystat in this case is the same as `chmod --reference', and there can be some expectation of unsafety, but copy/copy2/copytree's behaviour differs from that of `cp -p', and this is a non-obvious difference.
----------
components: Library (Lib)
messages: 181885
nosy: milko.krachounov
priority: normal
severity: normal
status: open
title: shutil copy* unsafe on POSIX - they preserve setuid/setgit bits
versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue17180>
_______________________________________
More information about the Python-bugs-list
mailing list