Title: shutil.copy2 race condition leading to local file disclosure · Issue #96719 · python/cpython · GitHub
Open Graph Title: shutil.copy2 race condition leading to local file disclosure · Issue #96719 · python/cpython
X Title: shutil.copy2 race condition leading to local file disclosure · Issue #96719 · python/cpython
Description: Bug report shutil.copy2 first copies the contents (creating the file with default permissions), then sets the permissions. This allows a local attacker that can read the directory to quickly grab the contents of the file before the permi...
Open Graph Description: Bug report shutil.copy2 first copies the contents (creating the file with default permissions), then sets the permissions. This allows a local attacker that can read the directory to quickly grab t...
X Description: Bug report shutil.copy2 first copies the contents (creating the file with default permissions), then sets the permissions. This allows a local attacker that can read the directory to quickly grab t...
Opengraph URL: https://github.com/python/cpython/issues/96719
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"shutil.copy2 race condition leading to local file disclosure","articleBody":"# Bug report\r\n\r\nshutil.copy2 first copies the contents (creating the file with default permissions), then sets the permissions. This allows a local attacker that can read the directory to quickly grab the contents of the file before the permissions are changed. (This was reported to security@ on 2022-02-04 and has now been [publicly disclosed](https://github.com/janschejbal/raceread/blob/master/writeups/python.md) - the link has some extra detail. Creating the bug here as directed.)\r\n\r\nSource code: https://github.com/python/cpython/blob/3.10/Lib/shutil.py#L434\r\n\r\nNote that changing the permissions after file creation but before writing content is insufficient: if the file is created with permissions that allow the attacker to open it, the attacker can get a file handle for the (empty) file. Under POSIX, the handle remains valid and readable even if the permissions change, allowing the attacker to read the file contents when they're populated. (@tiran, please feel free to add the info from your security@ response.)\r\n\r\nI've confirmed that this is reliably exploitable (if the file is being created in a directory that the attacker can read), proof of concept code is available in https://github.com/janschejbal/raceread/. This is relevant in practice due to questionable choices by some distributions, causing many home directories to be created with permissions 755, i.e. world-readable (Ubuntu only [changed that in 21.04](https://discourse.ubuntu.com/t/private-home-directories-for-ubuntu-21-04-onwards/19533)).\r\n\r\n# Your environment\r\n\r\nI've tested this on Python 3.8.10 on Ubuntu 20.04.3 LTS, but I believe it to affect all versions on any POSIX-compliant platform.","author":{"url":"https://github.com/janschejbal","@type":"Person","name":"janschejbal"},"datePublished":"2022-09-09T17:29:45.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":1},"url":"https://github.com/96719/cpython/issues/96719"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:f9b58fd4-fac1-9153-bc9c-503fd21a2a33 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | E674:6F3CF:6153EDD:888C7F0:6A5026B0 |
| html-safe-nonce | 3a1fd84b8c324cf51a11a1ce3654316bd1775e6dea97d97faa714b470054cb4c |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJFNjc0OjZGM0NGOjYxNTNFREQ6ODg4QzdGMDo2QTUwMjZCMCIsInZpc2l0b3JfaWQiOiI0NjIwNDEyNTM0NzYzMDM4Mzg0IiwicmVnaW9uX2VkZ2UiOiJpYWQiLCJyZWdpb25fcmVuZGVyIjoiaWFkIn0= |
| visitor-hmac | e7a3333c18be58d9969d12edf8377ce3fd4bd90ac1b2d61da1628e95e3f8d8b0 |
| hovercard-subject-tag | issue:1368126440 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/python/cpython/96719/issue_layout |
| twitter:image | https://opengraph.githubassets.com/64c0a61d89d60c391b2e9ea1b17449c9fdbd0438453ad1cdc00524cc31c4ab45/python/cpython/issues/96719 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/64c0a61d89d60c391b2e9ea1b17449c9fdbd0438453ad1cdc00524cc31c4ab45/python/cpython/issues/96719 |
| og:image:alt | Bug report shutil.copy2 first copies the contents (creating the file with default permissions), then sets the permissions. This allows a local attacker that can read the directory to quickly grab t... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | janschejbal |
| hostname | github.com |
| expected-hostname | github.com |
| None | a08040246389072795e3b4e7b33c6d9a0c564eee02e829a809326d67c418b069 |
| turbo-cache-control | no-preview |
| go-import | github.com/python/cpython git https://github.com/python/cpython.git |
| octolytics-dimension-user_id | 1525981 |
| octolytics-dimension-user_login | python |
| octolytics-dimension-repository_id | 81598961 |
| octolytics-dimension-repository_nwo | python/cpython |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 81598961 |
| octolytics-dimension-repository_network_root_nwo | python/cpython |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | d1b91b18e7330fc458dfd824c61eaed7daa830d6 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width