mirror of
https://github.com/uutils/coreutils.git
synced 2026-05-06 07:26:38 -04:00
Sylvestre Ledru
ef5d752282
In `-P` / no-dereference mode, cp now opens the source file with `O_NOFOLLOW`, matching GNU cp. This closes a TOCTOU window where an attacker who can swap the source path between cp's `lstat` check and the subsequent open could redirect the read through a symlink to a sensitive file (e.g. /etc/shadow). With `O_NOFOLLOW` the open fails with `ELOOP` instead. The same flag is propagated to `safe_copy::create_dest_restrictive`, so the destination open also refuses to follow a symlink in no-dereference mode. Without that, an attacker who plants the dest path as a symlink between the caller's check and the open could redirect the truncate (and the subsequent write) to any file the caller has permission to write — the symmetric attack to the source side. With `nofollow=true` the dest open returns `ELOOP` and the victim file is left untouched. `copy_on_write` gains a `nofollow` parameter threaded from `copy_helper`, set to `!options.dereference(source_in_command_line)`. In deref mode the flag is false and behavior is unchanged — cp still follows symlinks, matching GNU. Extends `util/check-safe-traversal.sh` with a cp -P strace check so the invariant is locked in: future changes that drop `O_NOFOLLOW` here will fail the smoke test.
294 lines
12 KiB
Bash
Executable File
294 lines
12 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# Check that utilities are using safe traversal (openat family syscalls)
|
|
# to prevent TOCTOU race conditions
|
|
#
|
|
|
|
set -e
|
|
|
|
: ${PROFILE:=release-small}
|
|
export PROFILE
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
|
|
TEMP_DIR=$(mktemp -d)
|
|
|
|
# Function to exit immediately on error
|
|
fail_immediately() {
|
|
echo "❌ FAILED: $1"
|
|
echo ""
|
|
echo "Debug information available in: $TEMP_DIR/strace_*.log"
|
|
exit 1
|
|
}
|
|
|
|
cleanup() {
|
|
rm -rf "$TEMP_DIR"
|
|
}
|
|
trap cleanup EXIT
|
|
|
|
echo "=== Safe Traversal Verification ==="
|
|
|
|
# Assume binaries are already built (for CI usage)
|
|
# Prefer individual binaries for more accurate testing
|
|
if [ -f "$PROJECT_ROOT/target/${PROFILE}/rm" ]; then
|
|
echo "Using individual binaries"
|
|
USE_MULTICALL=0
|
|
elif [ -f "$PROJECT_ROOT/target/${PROFILE}/coreutils" ]; then
|
|
echo "Using multicall binary"
|
|
USE_MULTICALL=1
|
|
COREUTILS_BIN="$PROJECT_ROOT/target/${PROFILE}/coreutils"
|
|
else
|
|
echo "Error: No binaries found. Please build first with 'cargo build --profile=${PROFILE}'"
|
|
exit 1
|
|
fi
|
|
|
|
cd "$TEMP_DIR"
|
|
|
|
# Create test directory structure
|
|
mkdir -p test_dir/sub1/sub2/sub3
|
|
echo "test1" > test_dir/file1.txt
|
|
echo "test2" > test_dir/sub1/file2.txt
|
|
echo "test3" > test_dir/sub1/sub2/file3.txt
|
|
echo "test4" > test_dir/sub1/sub2/sub3/file4.txt
|
|
|
|
check_utility() {
|
|
local util="$1"
|
|
local trace_syscalls="$2"
|
|
local expected_syscalls="$3"
|
|
local test_args="$4"
|
|
local test_name="$5"
|
|
|
|
echo ""
|
|
echo "Testing $util ($test_name)..."
|
|
|
|
local strace_log="strace_${util}_${test_name}.log"
|
|
|
|
# Choose binary to use
|
|
if [ "$USE_MULTICALL" -eq 1 ]; then
|
|
local util_cmd="$COREUTILS_BIN $util"
|
|
else
|
|
local util_path="$PROJECT_ROOT/target/${PROFILE}/$util"
|
|
if [ ! -f "$util_path" ]; then
|
|
fail_immediately "$util binary not found at $util_path"
|
|
fi
|
|
local util_cmd="$util_path"
|
|
fi
|
|
|
|
# Run utility under strace
|
|
strace -f -e trace="$trace_syscalls" -o "$strace_log" \
|
|
$util_cmd $test_args 2>/dev/null || true
|
|
cat $strace_log
|
|
# Check for expected safe syscalls
|
|
local found_safe=0
|
|
for syscall in $expected_syscalls; do
|
|
# fchmodat2 is the modern replacement for fchmodat on Linux 6.6+
|
|
# Accept either as a valid safe traversal syscall
|
|
case "$syscall" in
|
|
fchmodat)
|
|
if grep -qE "fchmodat2?\(" "$strace_log"; then
|
|
echo "✓ Found fchmodat/fchmodat2() (safe traversal)"
|
|
found_safe=$((found_safe + 1))
|
|
else
|
|
fail_immediately "Missing fchmodat() or fchmodat2() (safe traversal not active for $util)"
|
|
fi
|
|
;;
|
|
*)
|
|
if grep -q "$syscall" "$strace_log"; then
|
|
echo "✓ Found $syscall() (safe traversal)"
|
|
found_safe=$((found_safe + 1))
|
|
else
|
|
fail_immediately "Missing $syscall() (safe traversal not active for $util)"
|
|
fi
|
|
;;
|
|
esac
|
|
done
|
|
|
|
# Count detailed syscall statistics
|
|
local openat_count unlinkat_count fchmodat_count fchownat_count newfstatat_count renameat_count
|
|
local unlink_count rmdir_count chmod_count chown_count safe_ops unsafe_ops
|
|
|
|
openat_count=$(grep -c "openat(" "$strace_log" 2>/dev/null | tr -d '\n' || echo "0")
|
|
unlinkat_count=$(grep -c "unlinkat(" "$strace_log" 2>/dev/null | tr -d '\n' || echo "0")
|
|
fchmodat_count=$(grep -cE "fchmodat2?\(" "$strace_log" 2>/dev/null | tr -d '\n' || echo "0")
|
|
fchownat_count=$(grep -c "fchownat(" "$strace_log" 2>/dev/null | tr -d '\n' || echo "0")
|
|
newfstatat_count=$(grep -c "newfstatat(" "$strace_log" 2>/dev/null | tr -d '\n' || echo "0")
|
|
renameat_count=$(grep -c "renameat(" "$strace_log" 2>/dev/null | tr -d '\n' || echo "0")
|
|
|
|
# Count old unsafe syscalls (exclude the trace line prefix)
|
|
unlink_count=$(grep -cE "\bunlink\(" "$strace_log" 2>/dev/null | tr -d '\n' || echo "0")
|
|
rmdir_count=$(grep -cE "\brmdir\(" "$strace_log" 2>/dev/null | tr -d '\n' || echo "0")
|
|
chmod_count=$(grep -cE "\bchmod\(" "$strace_log" 2>/dev/null | tr -d '\n' || echo "0")
|
|
chown_count=$(grep -cE "\b(chown|lchown)\(" "$strace_log" 2>/dev/null | tr -d '\n' || echo "0")
|
|
|
|
# Ensure all variables are integers
|
|
[ -z "$openat_count" ] && openat_count=0
|
|
[ -z "$unlinkat_count" ] && unlinkat_count=0
|
|
[ -z "$fchmodat_count" ] && fchmodat_count=0
|
|
[ -z "$fchownat_count" ] && fchownat_count=0
|
|
[ -z "$newfstatat_count" ] && newfstatat_count=0
|
|
[ -z "$renameat_count" ] && renameat_count=0
|
|
[ -z "$unlink_count" ] && unlink_count=0
|
|
[ -z "$rmdir_count" ] && rmdir_count=0
|
|
[ -z "$chmod_count" ] && chmod_count=0
|
|
[ -z "$chown_count" ] && chown_count=0
|
|
|
|
# Calculate totals
|
|
safe_ops=$((openat_count + unlinkat_count + fchmodat_count + fchownat_count + newfstatat_count + renameat_count))
|
|
unsafe_ops=$((unlink_count + rmdir_count + chmod_count + chown_count))
|
|
|
|
echo " Strace statistics:"
|
|
echo " Safe syscalls: openat=$openat_count unlinkat=$unlinkat_count fchmodat=$fchmodat_count fchownat=$fchownat_count newfstatat=$newfstatat_count renameat=$renameat_count"
|
|
echo " Unsafe syscalls: unlink=$unlink_count rmdir=$rmdir_count chmod=$chmod_count chown/lchown=$chown_count"
|
|
echo " Total: safe=$safe_ops unsafe=$unsafe_ops"
|
|
|
|
# For rm specifically, we expect unlinkat instead of unlink/rmdir for file operations
|
|
# Note: A single rmdir() for the root directory is acceptable because:
|
|
# 1. The root directory path is provided by the user (not discovered during traversal)
|
|
# 2. There's no TOCTOU race - we're not resolving paths during recursive operations
|
|
# 3. After safe traversal removes all contents via unlinkat(), rmdir() is safe for the empty root
|
|
if [ "$util" = "rm" ]; then
|
|
if [ "$unlinkat_count" -gt 0 ] && [ "$unlink_count" -eq 0 ] && [ "$rmdir_count" -le 1 ]; then
|
|
echo "✓ Using safe syscalls (unlinkat for traversal)"
|
|
if [ "$rmdir_count" -eq 1 ]; then
|
|
echo " Note: Single rmdir() for root directory is acceptable"
|
|
fi
|
|
elif [ "$unlink_count" -gt 0 ] || [ "$rmdir_count" -gt 1 ]; then
|
|
fail_immediately "$util is UNSAFE: Using unlink/rmdir for file operations (unlink=$unlink_count rmdir=$rmdir_count unlinkat=$unlinkat_count) - vulnerable to TOCTOU attacks"
|
|
else
|
|
echo "⚠ No file removal operations detected"
|
|
fi
|
|
elif [ "$safe_ops" -gt 0 ] && [ "$unsafe_ops" -eq 0 ]; then
|
|
echo "✓ Using only safe syscalls"
|
|
elif [ "$safe_ops" -gt 0 ] && [ "$safe_ops" -ge "$unsafe_ops" ]; then
|
|
echo "✓ Using primarily safe syscalls"
|
|
elif [ "$found_safe" -gt 0 ]; then
|
|
echo "⚠ Some safe syscalls found but mixed with unsafe ops"
|
|
else
|
|
fail_immediately "$util is not using safe traversal"
|
|
fi
|
|
}
|
|
|
|
# Get list of available utilities
|
|
if [ "$USE_MULTICALL" -eq 1 ]; then
|
|
AVAILABLE_UTILS=$($COREUTILS_BIN --list)
|
|
else
|
|
AVAILABLE_UTILS=""
|
|
for util in rm chmod chown chgrp du mv cp; do
|
|
if [ -f "$PROJECT_ROOT/target/${PROFILE}/$util" ]; then
|
|
AVAILABLE_UTILS="$AVAILABLE_UTILS $util"
|
|
fi
|
|
done
|
|
fi
|
|
|
|
# Test rm - should use openat, unlinkat, newfstatat
|
|
if echo "$AVAILABLE_UTILS" | grep -q "rm"; then
|
|
cp -r test_dir test_rm
|
|
check_utility "rm" "openat,unlinkat,newfstatat,unlink,rmdir" "openat" "-rf test_rm" "recursive_remove"
|
|
|
|
# Regression guard: rm must not issue path-based statx calls (should rely on dirfd-relative newfstatat)
|
|
if grep -qE 'statx\(AT_FDCWD, "/' strace_rm_recursive_remove.log; then
|
|
fail_immediately "rm is using path-based statx (absolute path); expected dirfd-relative newfstatat"
|
|
fi
|
|
if grep -qE 'statx\(AT_FDCWD, "[^"]*/' strace_rm_recursive_remove.log; then
|
|
fail_immediately "rm is using path-based statx (multi-component relative path); expected dirfd-relative newfstatat"
|
|
fi
|
|
fi
|
|
|
|
# Test chmod - should use openat, fchmodat, newfstatat
|
|
if echo "$AVAILABLE_UTILS" | grep -q "chmod"; then
|
|
cp -r test_dir test_chmod
|
|
check_utility "chmod" "openat,fchmodat,fchmodat2,newfstatat,chmod" "openat fchmodat" "-R 755 test_chmod" "recursive_chmod"
|
|
|
|
# Additional regression guard: ensure recursion uses dirfd-relative openat, not AT_FDCWD with a multi-component path
|
|
if grep -q 'openat(AT_FDCWD, "test_chmod/' strace_chmod_recursive_chmod.log; then
|
|
fail_immediately "chmod recursed using AT_FDCWD with a multi-component path; expected dirfd-relative openat"
|
|
fi
|
|
fi
|
|
|
|
# Test chown - should use openat, fchownat, newfstatat
|
|
if echo "$AVAILABLE_UTILS" | grep -q "chown"; then
|
|
cp -r test_dir test_chown
|
|
USER_ID=$(id -u)
|
|
GROUP_ID=$(id -g)
|
|
check_utility "chown" "openat,fchownat,newfstatat,chown,lchown" "openat fchownat" "-R $USER_ID:$GROUP_ID test_chown" "recursive_chown"
|
|
fi
|
|
|
|
# Test chgrp - should use openat, fchownat, newfstatat
|
|
if echo "$AVAILABLE_UTILS" | grep -q "chgrp"; then
|
|
cp -r test_dir test_chgrp
|
|
check_utility "chgrp" "openat,fchownat,newfstatat,chown,lchown" "openat fchownat" "-R $GROUP_ID test_chgrp" "recursive_chgrp"
|
|
fi
|
|
|
|
# Test du - should use openat, newfstatat
|
|
if echo "$AVAILABLE_UTILS" | grep -q "du"; then
|
|
cp -r test_dir test_du
|
|
check_utility "du" "openat,newfstatat,stat,lstat" "openat" "-a test_du" "directory_usage"
|
|
fi
|
|
|
|
# Test mv - should use openat, renameat for directory moves
|
|
if echo "$AVAILABLE_UTILS" | grep -q "mv"; then
|
|
mkdir -p test_mv_src/sub
|
|
echo "test" > test_mv_src/file.txt
|
|
echo "test" > test_mv_src/sub/file2.txt
|
|
check_utility "mv" "openat,renameat,newfstatat,rename" "openat" "test_mv_src test_mv_dst" "move_directory"
|
|
fi
|
|
|
|
# cp invariant checks. Both #10011 (restrictive 0600 destination mode) and
|
|
# #10017 (O_NOFOLLOW on the -P source) need to hold; verify each on its own
|
|
# strace.
|
|
if echo "$AVAILABLE_UTILS" | grep -q "cp"; then
|
|
if [ "$USE_MULTICALL" -eq 1 ]; then
|
|
cp_cmd="$COREUTILS_BIN cp"
|
|
else
|
|
cp_cmd="$PROJECT_ROOT/target/${PROFILE}/cp"
|
|
fi
|
|
|
|
# #10011: destination created with mode 0600 so other users cannot open
|
|
# the file through its umask-derived initial mode before cp narrows it.
|
|
echo "cp_perm_test" > test_cp_src_perm
|
|
rm -f test_cp_dst_perm
|
|
strace -f -e trace=openat -o strace_cp_dest_perm.log \
|
|
$cp_cmd test_cp_src_perm test_cp_dst_perm 2>/dev/null || true
|
|
if ! grep -qE 'openat\(AT_FDCWD, "test_cp_dst_perm".*O_CREAT.*, 0600\)' strace_cp_dest_perm.log; then
|
|
cat strace_cp_dest_perm.log
|
|
fail_immediately "cp must create the destination with mode 0600 (issue #10011)"
|
|
fi
|
|
echo "✓ cp creates destination with restrictive 0600 mode"
|
|
rm -f test_cp_src_perm test_cp_dst_perm
|
|
|
|
# #10017: -P opens source with O_NOFOLLOW so a path swap to a symlink
|
|
# between the lstat check and the open cannot redirect the copy.
|
|
echo "cp_nofollow_test" > test_cp_src
|
|
strace -f -e trace=openat -o strace_cp_nofollow.log \
|
|
$cp_cmd -P test_cp_src test_cp_dst 2>/dev/null || true
|
|
if ! grep -qE 'openat\(AT_FDCWD, "test_cp_src".*O_NOFOLLOW' strace_cp_nofollow.log; then
|
|
cat strace_cp_nofollow.log
|
|
fail_immediately "cp -P must open the source with O_NOFOLLOW (issue #10017)"
|
|
fi
|
|
echo "✓ cp -P opens source with O_NOFOLLOW"
|
|
rm -f test_cp_src test_cp_dst
|
|
fi
|
|
|
|
echo ""
|
|
echo "✓ Basic safe traversal verification completed"
|
|
echo ""
|
|
echo "=== Additional Safety Checks ==="
|
|
|
|
# Check for dangerous patterns across all logs
|
|
echo "Checking for dangerous path resolution patterns..."
|
|
|
|
# Check that we're not doing excessive path resolutions (sign of TOCTOU vulnerability)
|
|
echo "Checking path resolution frequency..."
|
|
for log in strace_*.log; do
|
|
if [ -f "$log" ]; then
|
|
path_resolutions=$(grep -c "test_" "$log" 2>/dev/null || echo "0")
|
|
if [ "$path_resolutions" -gt 20 ]; then
|
|
echo "⚠ $log: High path resolution count ($path_resolutions) - potential TOCTOU risk"
|
|
fi
|
|
fi
|
|
done
|
|
|
|
echo ""
|
|
echo "=== Summary ==="
|
|
echo "All utilities are using safe traversal correctly!"
|