Author milko.krachounov
Recipients milko.krachounov
Date 2013-02-11.09:10:56
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1360573856.52.0.124531930967.issue17180@psf.upfronthosting.co.za>
In-reply-to
Content
When copying the mode of a file with copy, copy2, copymode, copystat or copytree, all permission bits are copied (including setuid and setgit), but the owner of the file is not. This can be used for privilege escalation.

An example:

-rwSr--r--  1 milko milko    0 фев 11 10:53 test1

shutil.copy("test1", "test2")

-rwSr--r--  1 root  root     0 фев 11 10:53 test2

If test1 contained anything malicious, now the user milko can execute his malicious payload as root.

Potential fixes:
- Strip setuid/setgid bits.
- Copy the owner on POSIX.
- Perform a safety check on the owner.
- Document the security risk.


The behaviour of copymode/copystat in this case is the same as `chmod --reference', and there can be some expectation of unsafety, but copy/copy2/copytree's behaviour differs from that of `cp -p', and this is a non-obvious difference.
History
Date User Action Args
2013-02-11 09:10:56milko.krachounovsetrecipients: + milko.krachounov
2013-02-11 09:10:56milko.krachounovsetmessageid: <1360573856.52.0.124531930967.issue17180@psf.upfronthosting.co.za>
2013-02-11 09:10:56milko.krachounovlinkissue17180 messages
2013-02-11 09:10:56milko.krachounovcreate