#1782 TOCTOU race conditions by copying and removing directory trees

Created 4 years ago by jhrozek
Modified 9 months ago

A TOCTOU (time-of-check time-of-use) race condition was found in the way SSSD, System Security Services Daemon, performed copying and removal of (user) directory trees.A local attacker, with permissions to write into directory of the victim, being actively / currently copied / removed via the sssd daemon facility, could use this flaw to conduct symbolic link attacks, leading to their ability to alter / remove directories outside of originally intended, to be modified, directory tree.

This issue was found by Florian Weimer of Red Hat Product Security Team.

Attachments
Bob Foster.jpg - 2016-11-03 16:51:04 Comment Download

Fields changed

owner: somebody => jhrozek
rhbz: => 884254
status: new => assigned

Fields changed

patch: 0 => 1

resolution: => fixed
status: assigned => closed

9 months ago

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.9.4

Login to comment on this ticket.

defect

SSSD

1.9.3

0

1

884254

0

cancel