Bug 865591 - fdupes: possible file linking of files with different owner/group/permissions
fdupes: possible file linking of files with different owner/group/permissions
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 865592
  Show dependency treegraph
Reported: 2012-10-11 16:58 EDT by Vincent Danen
Modified: 2013-08-02 15:55 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-08-02 15:55:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2012-10-11 16:58:41 EDT
A SUSE bug report [1] noted a problem with how fdupes is used in the %fdupes RPM macro.  When there are two files with identical content that differs in owner/group/permissions, the %fdupes macro overwrites one of the files with a link that effectively gives both files the same owner/group/permissions.  If one of the files has tighter permissions than the other, this could result in one of the files having more relaxed permissions than appropriate.

It looks as though our implementation of %fdupes is taken from SUSE's, so we would be susceptible to the same issues.  Suggested means of resolving this are to test for equality of owner/group/permissions before duping a file.  It might also be prudent to set some areas as "off limits", such as files in /etc/ or other locations that may contain user-changed configuration files.

[1] https://bugzilla.novell.com/show_bug.cgi?id=784670
Comment 1 Vincent Danen 2012-10-11 17:01:03 EDT
Created fdupes tracking bugs for this issue

Affects: fedora-all [bug 865592]
Comment 2 Richard Shaw 2012-10-22 10:25:35 EDT
Looks like the Suse guys have found a solution. I'll be implementing it as soon as I have a chance.
Comment 3 Vincent Danen 2013-08-02 15:55:07 EDT
This has been corrected in Fedora 17, 18, and 19 with the update to fdupes-1.51-1.

Note You need to log in before you can comment on or make changes to this bug.