Chmod 0777 race condition during staging operations

Created on 16 March 2024, 3 months ago
Updated 24 April 2024, about 2 months ago

Problem/Motivation

Found by Cure53 in security review, determined low risk and could be made public
While analyzing the drawback outlined in ticket DRU-01-006, Cure53 found that the deletion of the staging directory precedes granting user file permission access to the stage directory. This effectively enables attackers to drop symbolic links into the directory between the moment of file access permission and prior to deletion. As this operation is performed recursively on every sub-element of the directory, this also allows attackers to modify and execute production system files before deletion via a race condition. Similarly to DRU-01- 006, this could be abused to execute OS commands in the name of the OS user executing the application’s PHP code. A similar flaw was identified within the SiteConfigurationExcluder, which renders the sites/default directory world-writable for all after creating the stage directory.

Steps to reproduce

Proposed resolution

Affected file:
automatic_updates/package_manager/src/Plugin/QueueWorker/Cleaner.php
Affected code:

public function processItem($dir) {
         assert(is_string($dir));
         if (file_exists($dir)) {
             $this->fileSystem->deleteRecursive($dir, function (string $path):
       void {
$this->fileSystem->chmod($path, 0777); });

Additionally affected:
package_manager/src/PathExcluder/ SiteConfigurationExcluder.php::makeDefaultSiteDirectoryWritable
To mitigate this issue, Cure53 advises enforcing permissions to 0600 and 0700 for files and directories respectively, rather than using 0777 recurringly. By doing so, only the owner of the files would be allowed to delete the files before removal. This could be achieved by simply omitting the callback passed to the deleteRecursive function, as the Drupal core function already performs this internally.

Remaining tasks

User interface changes

API changes

Data model changes

πŸ› Bug report
Status

Fixed

Version

3.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States tedbow Ithaca, NY, USA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Production build 0.69.0 2024