Issue 24558: shutil.copytree with symlinks=True opens vulnerabilities

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/68746

classification

Title:	shutil.copytree with symlinks=True opens vulnerabilities
Type:	security	Stage:	resolved
Components:	Distutils	Versions:

process

Status:	closed	Resolution:	not a bug
Dependencies:		Superseder:
Assigned To:		Nosy List:	dstufft, eric.araujo, r.david.murray, spaceone
Priority:	normal	Keywords:

Created on 2015-07-03 12:41 by spaceone, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (4)
msg246170 - (view)	Author: SpaceOne (spaceone) *	Date: 2015-07-03 12:41
shutil.copytree(src, dst, symlink=True) destroys file system permissions and open security issues. See the following python/bash session: # ls -l /etc/shadow -rw-r----- 1 root shadow 1114 May 8 19:10 /etc/shadow # su foobar $ ln -s /etc/shadow && exit # python -c '__import__("shutil").copytree('/home/', '/backups/home', symlinks=True) # ls -l /etc/shadow -rw-r----- 1 foobar Domain Users 1114 Mai 8 19:10 /etc/shadow As you can see the file "/etc/shadow" is now owned by the user "foobar" and its primary group.
msg246171 - (view)	Author: SpaceOne (spaceone) *	Date: 2015-07-03 12:43
my workaround is: import os.path def ignore(src, names): return [name for name in names if os.path.islink(os.path.join(src, name))] shutil.copytree(src, dst, ignore=ignore)
msg246183 - (view)	Author: R. David Murray (r.david.murray) *	Date: 2015-07-03 14:46
I don't understand your workaround (how is that different from just using the default value of symlinks?) It sounds like what you are reporting is that copystat is incorrectly setting permissions on a file a symlink points to instead of on the symlink itself (in whatever sense the latter is even meaningful)?
msg246187 - (view)	Author: SpaceOne (spaceone) *	Date: 2015-07-03 15:18
argh. sorry. I did not read the following lines in my environment which caused this by a recursive chown.

History
Date	User	Action	Args
2022-04-11 14:58:18	admin	set	github: 68746
2015-07-03 15:19:50	r.david.murray	set	resolution: rejected -> not a bug stage: resolved
2015-07-03 15:18:22	spaceone	set	status: open -> closed resolution: rejected messages: + msg246187
2015-07-03 14:46:42	r.david.murray	set	nosy: + r.david.murray messages: + msg246183
2015-07-03 12:43:38	spaceone	set	messages: + msg246171
2015-07-03 12:41:25	spaceone	create