This was deemed not a vulnerability.
chownr is a package that takes the same arguments as
Affected versions of this package are vulnerable to Time of Check Time of Use (TOCTOU).
Information: Maintainers Advice
There is no
readdir that will succeed on actual directories, and fail on symlinks to directories.
The basic flow would be:
1) Read a directory, get a list of items 2) One of those items is a directory 3) After the initial readdir (or readdir+lstat), but before the directory traversal, an attacker moves the directory aside and replaces it with a symbolic link to some other directory. 4) The script will proceed to change ownership of all items in the symlink target directory.
There is no
readdir(3) call that will succeed on a "real" directory, but fail on a symbolic link to a directory. What that means is that there is no atomic way to verify that, at the exact time of reading a directory, it's a real directory and not a symlink to somewhere else.
That being the case there will always be a TOCTOU issue for any recursive filesystem operation that traverses directories making changes at each level.
- Jeff Epler
- Snyk ID
- 31 Jul, 2018
- 11 Jan, 2019