Bug#863985: ITP: node-chownr -- Javascript implementation of chown -R.

To: Kiran Skunjumon <kiranskunjumon80@gmail.com>, 863985@bugs.debian.org
Subject: Bug#863985: ITP: node-chownr -- Javascript implementation of chown -R.
From: Jeff Epler <jepler@unpythonic.net>
Date: Fri, 2 Jun 2017 18:39:54 -0500
Message-id: <[🔎] 20170602233954.GC13923@unpythonic.net>
Reply-to: Jeff Epler <jepler@unpythonic.net>, 863985@bugs.debian.org
In-reply-to: <[🔎] CAFgcETz5ouZYSsrbCDxDeza0Te8Ca639FF5HqQB=6A_FCMJAOA@mail.gmail.com>
References: <[🔎] CAFgcETz5ouZYSsrbCDxDeza0Te8Ca639FF5HqQB=6A_FCMJAOA@mail.gmail.com>

This package appears to have a TOCTOU bug, which can trick it into
descending into unintended trees if a non-symlink is replaced by a
symlink at a critical moment:

      fs.lstat(pathChild, function(er, stats) {
        if (er)
          return cb(er)
        if (!stats.isSymbolicLink())
          chownr(pathChild, uid, gid, then)

(I did not prove this, it's a claim by inspection only)

this can best be fixed by using modern "*at" APIs such as fchownat,
as chmod(1) does at least as far back as Debian Wheezy, but I
suspect these are probably not readily available in the node
ecosystem.

Besides that, the package's testsuite unsafely uses predictable
filenames in "/tmp".  (see at least test/sync.js in master branch)
At a minimum, it can probably be tricked into changing the group of
an arbitrary file the test-running user owns.

Jeff

Reply to:

References:
- Bug#863985: ITP: node-chownr -- Javascript implementation of chown -R.
  - From: Kiran Skunjumon <kiranskunjumon80@gmail.com>

Prev by Date: Processed: sphinx-autorun: block ITP 863136 by RFS 863982
Next by Date: Bug#863368: ITA: pylint-flask -- Pylint plugin for analyzing Flask applications (Python 2)
Previous by thread: Bug#863985: ITP: node-chownr -- Javascript implementation of chown -R.
Next by thread: Bug#837867: ITP 837867 update
Index(es):
- Date
- Thread