Bug 865591

Summary: fdupes: possible file linking of files with different owner/group/permissions
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: hobbes1069
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20121011,reported=20121011,source=suse,cvss2=2.6/AV:L/AC:H/Au:N/C:P/I:P/A:N,fedora-all/fdupes=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-02 15:55:07 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 865592    
Bug Blocks:    

Description Vincent Danen 2012-10-11 16:58:41 EDT
A SUSE bug report [1] noted a problem with how fdupes is used in the %fdupes RPM macro.  When there are two files with identical content that differs in owner/group/permissions, the %fdupes macro overwrites one of the files with a link that effectively gives both files the same owner/group/permissions.  If one of the files has tighter permissions than the other, this could result in one of the files having more relaxed permissions than appropriate.

It looks as though our implementation of %fdupes is taken from SUSE's, so we would be susceptible to the same issues.  Suggested means of resolving this are to test for equality of owner/group/permissions before duping a file.  It might also be prudent to set some areas as "off limits", such as files in /etc/ or other locations that may contain user-changed configuration files.

[1] https://bugzilla.novell.com/show_bug.cgi?id=784670
Comment 1 Vincent Danen 2012-10-11 17:01:03 EDT
Created fdupes tracking bugs for this issue

Affects: fedora-all [bug 865592]
Comment 2 Richard Shaw 2012-10-22 10:25:35 EDT
Looks like the Suse guys have found a solution. I'll be implementing it as soon as I have a chance.
Comment 3 Vincent Danen 2013-08-02 15:55:07 EDT
This has been corrected in Fedora 17, 18, and 19 with the update to fdupes-1.51-1.