System.Directory.removeDirectoryRecursive and symlinks

Krzysztof Skrzętnicki gtener at gmail.com
Tue Jun 10 20:00:31 UTC 2014 

Following symlinks can be potentially dangerous/security exploit: symlink
to '/' can be created by non-priviliged user and then removed using
removeDirectoryRecursive called by priviliged user (example: root deleting
user account & directory). Catastrophic system damage can follow. Also
might be used for selective attacks, e.g. deleting files that contain
firewall settings or something alike.

All best,
Krzysztof Skrzętnicki

On Tue, Jun 10, 2014 at 5:23 PM, Isaac Dupree <
ml at isaac.cedarswampstudios.org> wrote:

> The documentation also says "Be careful, if the directory contains
> symlinks, the function will follow them.", which is dangerous and
> inappropriate but thankfully not actually what removeDirectoryRecursive
> does (based on testing and also on reading the code).  That statement
> should be removed from the documentation.
>
> I'm indifferent on whether the argument path itself should be able to be a
> symlink to a directory, and if so, whether the target directory and/or the
> symlink should be removed, and whether this should differ based on whether
> the path ends in a "/" or not.  (Many Unix operations on symlinks, like
> `ls`, do differ based on a trailing slash. `rm -rf symlink` removes just
> the symlink; `rm -rf symlink/` appears to remove the contents of the target
> directory but neither the symlink nor the target directory itself...)
>
> -Isaac
>
>
> On 06/10/2014 09:42 AM, Gracjan Polak wrote:
>
>> Hi all,
>>
>> A crime scene:
>>
>> Prelude System.Directory> :!mkdir a-directory
>> Prelude System.Directory> :!touch a-directory/a-file.txt
>> Prelude System.Directory> :!ln -s "a-directory" "a-symlink-to-a-directory"
>> Prelude System.Directory> :!ls a-directory
>> a-file.txt
>> Prelude System.Directory> :!ls a-symlink-to-a-directory
>> a-file.txt
>> Prelude System.Directory> removeDirectoryRecursive
>>                               "a-symlink-to-a-directory"
>> *** Exception: a-symlink-to-a-directory: removeDirectory:
>>      inappropriate type (Not a directory)
>> Prelude System.Directory> :!ls a-symlink-to-a-directory
>> Prelude System.Directory> :!ls a-directory
>> Prelude System.Directory> :!ls -a a-directory
>> .       ..
>> Prelude System.Directory> :!ls -a a-symlink-to-a-directory
>> .       ..
>> Prelude System.Directory>
>>
>> removeDirectoryRecursive is removing all contents *of the directory
>> linked*
>> but is unable to remove the symlink itself.
>>
>> This behavior is surprizing if not dangerous. I understand that this
>> mimics
>> behavior of unlink/rmdir and DeleteFile/RemoveDirectory. but let me quote
>> relevant manuals:
>>
>> man rm:
>> The rm utility removes symbolic links, not the files referenced by the
>> links.
>>
>> DeleteFile docs:
>> If the path points to a symbolic link, the symbolic link is deleted, not
>> the
>> target. To delete a target, you must call CreateFile and specify
>> FILE_FLAG_DELETE_ON_CLOSE.
>>
>> RemoveDirectory removes a directory junction, even if the contents of the
>> target are not empty; the function removes directory junctions regardless
>> of
>> the state of the target object.
>>
>> Note: doesDirectoryExist and doesFileExist follow symlinks so they add
>> more
>> surprize to the scenario.
>>
>> What can we do about this?
>>
>>
> _______________________________________________
> Libraries mailing list
> Libraries at haskell.org
> http://www.haskell.org/mailman/listinfo/libraries
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/libraries/attachments/20140610/92570753/attachment-0001.html>

More information about the Libraries mailing list