From 9a1dc2a0a2cff86d26563222f6c44e14bd5beea6 Mon Sep 17 00:00:00 2001 From: Martin Geisler Date: Tue, 3 May 2022 14:23:28 +0200 Subject: [PATCH] Remove hard links from `env::current_exe` security example MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The security example shows that `env::current_exe` will return the path used when the program was started. This is not really surprising considering how hard links work: after `ln foo bar`, the two files are _equivalent_. It is _not_ the case that `bar` is a “link” to `foo`, nor is `foo` a link to `bar`. They are simply two names for the same underlying data. The security vulnerability linked to seems to be different: there an attacker would start a SUID binary from a directory under the control of the attacker. The binary would respawn itself by executing the program found at `/proc/self/exe` (which the attacker can control). This is a real problem. In my opinion, the example given here doesn’t really show the same problem, it just shows a misunderstanding of what hard links are. I looked through the history a bit and found that the example was introduced in #33526. That PR actually has two commits, and the first (8478d48dad949b3b1374569a5391089a49094eeb) explains the race condition at the root of the linked security vulnerability. The second commit proceeds to replace the explanation with the example we have today. This commit reverts most of the second commit from #33526. --- library/std/src/env.rs | 41 ++++++++++++++--------------------------- 1 file changed, 14 insertions(+), 27 deletions(-) diff --git a/library/std/src/env.rs b/library/std/src/env.rs index f03d298d869..e287a93da7b 100644 --- a/library/std/src/env.rs +++ b/library/std/src/env.rs @@ -644,36 +644,23 @@ pub fn temp_dir() -> PathBuf { /// /// # Security /// -/// The output of this function should not be used in anything that might have -/// security implications. For example: +/// The output of this function should not be trusted for anything +/// that might have security implications. Basically, if users can run +/// the executable, they can change the output arbitrarily. /// -/// ``` -/// fn main() { -/// println!("{:?}", std::env::current_exe()); -/// } -/// ``` +/// As an example, you can easily introduce a race condition. It goes +/// like this: /// -/// On Linux systems, if this is compiled as `foo`: +/// 1. You get the path to the current executable using `current_exe()`, and +/// store it in a variable. +/// 2. Time passes. A malicious actor removes the current executable, and +/// replaces it with a malicious one. +/// 3. You then use the stored path to re-execute the current +/// executable. /// -/// ```bash -/// $ rustc foo.rs -/// $ ./foo -/// Ok("/home/alex/foo") -/// ``` -/// -/// And you make a hard link of the program: -/// -/// ```bash -/// $ ln foo bar -/// ``` -/// -/// When you run it, you won’t get the path of the original executable, you’ll -/// get the path of the hard link: -/// -/// ```bash -/// $ ./bar -/// Ok("/home/alex/bar") -/// ``` +/// You expected to safely execute the current executable, but you're +/// instead executing something completely different. The code you +/// just executed run with your privileges. /// /// This sort of behavior has been known to [lead to privilege escalation] when /// used incorrectly.