Remove hard links from env::current_exe security example
#96671
Conversation
The security example shows that `env::current_exe` will return the path used when the program was started. This is not really surprising considering how hard links work: after `ln foo bar`, the two files are _equivalent_. It is _not_ the case that `bar` is a “link” to `foo`, nor is `foo` a link to `bar`. They are simply two names for the same underlying data. The security vulnerability linked to seems to be different: there an attacker would start a SUID binary from a directory under the control of the attacker. The binary would respawn itself by executing the program found at `/proc/self/exe` (which the attacker can control). This is a real problem. In my opinion, the example given here doesn’t really show the same problem, it just shows a misunderstanding of what hard links are. I looked through the history a bit and found that the example was introduced in rust-lang#33526. That PR actually has two commits, and the first (8478d48) explains the race condition at the root of the linked security vulnerability. The second commit proceeds to replace the explanation with the example we have today. This commit reverts most of the second commit from rust-lang#33526.
rustbot
added
the
T-libs
|
Hey! It looks like you've submitted a new PR for the library teams! If this PR contains changes to any Examples of
|
|
(rust-highfive has picked a reviewer for you, use r? to override) |
rust-highfive
added
the
S-waiting-on-review
I think the hard link example sort of illustrates (at least IMO) that the directory being under control isn't necessary -- you can start the binary in an arbitrary place. This means that for example assuming But I think the specificity of the example hurt more than helped -- and the new text does a slightly better job at explaining the problem. @bors r+ rollup |
|
📌 Commit 9a1dc2a has been approved by |
bors
added
S-waiting-on-bors
…askrgr Rollup of 10 pull requests Successful merges: - rust-lang#96336 (Link to correct `as_mut` in docs for `pointer::as_ref`) - rust-lang#96586 (Add aliases for std::fs::canonicalize) - rust-lang#96667 (Add regression test) - rust-lang#96671 (Remove hard links from `env::current_exe` security example) - rust-lang#96726 (Add regression and bug tests) - rust-lang#96756 (Enable compiler-docs by default for `compiler`, `codegen`, and `tools` profiles) - rust-lang#96757 (Don't constantly rebuild clippy on `x test src/tools/clippy`.) - rust-lang#96769 (Remove `adx_target_feature` feature from active features list) - rust-lang#96777 (Make the test `check-pass` not to produce a JSON file) - rust-lang#96822 (Enforce quote rule for JS source code) Failed merges: r? `@ghost` `@rustbot` modify labels: rollup
Good point and yeah, it does demonstrate it in an indirect way.
Thanks, I think that's a good way to put it. |
The security example shows that
env::current_exewill return the path used when the program was started. This is not really surprising considering how hard links work: afterln foo bar, the two files are equivalent. It is not the case thatbaris a “link” tofoo, nor isfooa link tobar. They are simply two names for the same underlying data.The security vulnerability linked to seems to be different: there an attacker would start a SUID binary from a directory under the control of the attacker. The binary would respawn itself by executing the program found at
/proc/self/exe(which the attacker can control). This is a real problem. In my opinion, the example given here doesn’t really show the same problem, it just shows a misunderstanding of what hard links are.I looked through the history a bit and found that the example was introduced in #33526. That PR actually has two commits, and the first (8478d48) explains the race condition at the root of the linked security vulnerability. The second commit proceeds to replace the explanation with the example we have today.
This commit reverts most of the second commit from #33526.