develooper Front page | perl.perl5.porters | Postings from January 2005

Re: Bug#286905: perl-modules: File::Path::rmtree makes setuid

Thread Previous
January 12, 2005 14:12
Re: Bug#286905: perl-modules: File::Path::rmtree makes setuid
Message ID:
Brendan O'Dea <> wrote:

> both of these issues obviously stem from the same root cause--a race
> between generating a list of files, then manipulating that list.

The first issue "also" relies on trying to be clever:

	    # notabene: 0777 is for making readable in the first place,
	    # it's also intended to change it to writable in case we have
	    # to recurse in which case we are better than rm -rf for 
	    # subtrees with strange permissions

> I don't really see that this is fixable outside of rewriting rmtree to
> recursively chdir+readdir+unlink.
> Given that there are possible pitfalls even with this approach (cf. 
> CVE-2002-0435) ...

That pitfall is known and easily avoided by double-checking inodes.

>            ... I'm considering punting the problem to fileutils,
> replacing rmtree entirely with the attached subroutine.
> [p5p:] If anyone had a cleaner (and cross-platform) fix, I'd love to
> hear of it.

I am not sure that all platforms have fileutils: no -v option on rm.
(Tru64 doesn't.)

Rafael Garcia-Suarez <> wrote:

> How does this relate to the Debian patch 22_fix_file_path
> for CAN-2004-0452 ? ...

CAN-2004-0452 exploited the "chmod 0777", the fix changed the mode
to 0700 (and 0666 to 0600) but did not avoid the race.


Paul Szabo -
School of Mathematics and Statistics  University of Sydney   2006  Australia

Thread Previous Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About