Making DO_POSIX_CP configurable
Ralf Friedl
Ralf.Friedl at online.de
Tue Sep 11 16:32:52 UTC 2007
> User comes to you and says "I accidentally deleted my most important
> directory. I know that you make daily backups. Can you restore
> it from backup?"
>
> You do
>
> cp -a /backup/home/user/dir /home/user
>
> But user has crafted it so that backup contains
> dir/many_more_dirs/innocuous_file, and he also
> created a symlink
>
> ln -s /etc/passwd /home/user/dir/many_more_dirs/innocuous_file
>
> Now imagine the effect of the above cp command.
>
Personally, I would never restore a backup over an existing directory,
but to an empty one. From there I (or the user) could move the needed
files to the right place.
But I see your point.
> The attacker don't write file himself. He tricks root into doing it.
>
The attacker creates the link and then must tick root into writing to
it. That was clear.
> GNU coreutils have cp --remove-destination. I think people
> will forget to use it until it's too late.
>
> I see that for "cp file1 file2" it is a problem,
> but for "cp -r dir1 dir2" it is exactly what you want. right?
>
So "cp -r" would imply "--remove-destination", while "cp without -r"
would not?
I think that is a good solution, better that differentiating between
regular and device files.
Regards
Ralf Friedl
More information about the busybox
mailing list