Re: Symlink flag for chmod

[Pádraig Brady]

On 18/03/2024 18:31, Pádraig Brady wrote:
> On 25/01/2024 14:13, Pádraig Brady wrote:
> > On 25/01/2024 12:30, Johannes Segitz wrote:
> > > Hello,
> > >
> > > chown has a flag that prevents symlink following. chown/chmod is sometimes
> > > used in %post/%pre sections of rpm packages to fix up permissions. When
> > > this is done in user owned directories (somewhere along the path) this is a
> > > security problem. chown allows users to handle this via the -h flag which
> > > instructs it not to follow a symlink.
> > >
> > > The attached patch adds this flag for chmod. I read
> > > https://git.savannah.gnu.org/cgit/coreutils.git/plain/README-hacking
> > > but chmod doesn't have an email listed, so I set the patch here.
> > >
> > > Please CC me in replies, I'm not subscribed to the list.
> >
> > We've been consolidating chown/chmod/chgrp recently,
> > and I was already looking at this.
> > I'll incorporate your patch with what I was working on.
>
> This is the third and last part of the recent chown/chgrp/chmod
> alignment series, the previous two being:
>    https://github.com/coreutils/coreutils/commit/da091b3ab  add --from to chgrp
>    https://github.com/coreutils/coreutils/commit/9cc8d6ff5  merge chown/chgrp 
> sources
>
> The attached adds -hHLP, --{no-,}dereference options to chmod,
> to align with chown, and chgrp.  It also aligns with chmod on other systems.

I've attached an update to:

1. update docs in previous patch
2. add a new patch to fix an existing security race in chmod(1).

I'll push these in about 12 hours,
but would appreciate a quick review of the fts_level usage in the second patch.

thanks,
Pádraig

0001-chmod-add-support-for-h-H-L-P-dereference-options.patch
Description: Text Data

0002-chmod-fix-TOCTOU-security-issue-with-symlink-replace.patch
Description: Text Data