If an attacker can introduce a hard link into a directory with a
default ACL, then he may be able to trick the user into applying that
default ACL to the target of the hard link which lives somewhere else
entirely. That can be exploited to gain access to the user's files,
and is hard to detect.
To avoid that problem entirely, great care must be taken. For now, a
naive check of the target path is implemented to ensure that (at the
start of the routine) it has only one name on the filesystem. This
still admits a race condition, but is an improvement.
The new behavior is now documented in the man page, and a test has
been added to ensure that pre-existing hard links are ignored.
projects / apply-default-acl.git / commitdiff