When a unix process is running in a directory, and that directory gets renamed, the process is taken on a ride to a new location in the filesystem. Suddenly, any "../" paths it might be using point to new, and unexpected locations.
This can be a source of interesting behavior, and also of security holes.
Suppose root is poking around in ~user/foo/bar/
and decides to
vim ../../etc/conffile
If the user notices this process is running, they can mv ~/foo/bar /tmp
and when vim saves the file, it will write to /tmp/bar/../../etc/conffile
AKA /etc/conffile
.
(Vim does warn that the file has changed while it was being edited. Other editors may not. Or root may be feeling especially BoFH and decide to overwrite the user's changes to their file. Or the rename could perhaps be carefully timed to avoid vim's overwrite protection.)
Or, suppose root, in the same place, decides to archive ../../etc
with tar,
and then delete it:
tar cf etc.tar ../../etc; rm -rf ../../etc
Now the user has some time to take root's shell on a ride, before the
rm
starts ... and make it delete all of /etc
!
Anyone know if this class of security hole has a name?
Hi,
I think what you found might be a variation of TOCTOU - time of creation, time of access.
For example (although slightly different, but it's the same underlying idea):
https://duo.com/decipher/docker-bug-allows-root-access-to-host-file-system