Message181885
When copying the mode of a file with copy, copy2, copymode, copystat or copytree, all permission bits are copied (including setuid and setgit), but the owner of the file is not. This can be used for privilege escalation.
An example:
-rwSr--r-- 1 milko milko 0 фев 11 10:53 test1
shutil.copy("test1", "test2")
-rwSr--r-- 1 root root 0 фев 11 10:53 test2
If test1 contained anything malicious, now the user milko can execute his malicious payload as root.
Potential fixes:
- Strip setuid/setgid bits.
- Copy the owner on POSIX.
- Perform a safety check on the owner.
- Document the security risk.
The behaviour of copymode/copystat in this case is the same as `chmod --reference', and there can be some expectation of unsafety, but copy/copy2/copytree's behaviour differs from that of `cp -p', and this is a non-obvious difference. |
|
Date |
User |
Action |
Args |
2013-02-11 09:10:56 | milko.krachounov | set | recipients:
+ milko.krachounov |
2013-02-11 09:10:56 | milko.krachounov | set | messageid: <1360573856.52.0.124531930967.issue17180@psf.upfronthosting.co.za> |
2013-02-11 09:10:56 | milko.krachounov | link | issue17180 messages |
2013-02-11 09:10:56 | milko.krachounov | create | |
|