summaryrefslogtreecommitdiffstats
path: root/abuild-rmtemp.c
diff options
context:
space:
mode:
authorSören Tempel <soeren+git@soeren-tempel.net>2018-10-11 16:44:45 +0200
committerSören Tempel <soeren+git@soeren-tempel.net>2018-10-11 17:46:45 +0200
commit17cb68e9fb8a1fcb830c0895b3bd9fab91d4b66c (patch)
tree05a6b905453df5b2d2f13e8b9503dd395ff931fa /abuild-rmtemp.c
parent70f52b9b80e93c3ef676850300ec3a8c4d98cb25 (diff)
downloadabuild-17cb68e9fb8a1fcb830c0895b3bd9fab91d4b66c.tar.bz2
abuild-17cb68e9fb8a1fcb830c0895b3bd9fab91d4b66c.tar.xz
abuild-rmtemp: Do not follow symbolic links
Symbolic links might point to files outside of the chroot and thus might delete files outside the chroot. This allows deletion of arbitrary directories on the host from a malicious APKBUILD. Following hard links shouldn't be a problem since hard links (usually) cannot refer to directories and since remove(3) removes the link, not the file it points to it shouldn't cause a problem. I noticed this because alpine-baselayout creates /var/run as a symlink to /run. Therefore causing /run to be deleted on the host when using abuild-rmtemp which in turn causes a bunch of software to no longer function properly (including OpenRC).
Diffstat (limited to 'abuild-rmtemp.c')
-rw-r--r--abuild-rmtemp.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/abuild-rmtemp.c b/abuild-rmtemp.c
index 1fca31c..b9511ce 100644
--- a/abuild-rmtemp.c
+++ b/abuild-rmtemp.c
@@ -44,7 +44,7 @@ int main(int argc, char **argv) {
if (!p) errx(1, "Incorrect user");
if (s.st_uid != p->pw_uid) errx(1, "Permission denied");
- if (nftw(argv[1], handler, 512, FTW_DEPTH)) fail();
+ if (nftw(argv[1], handler, 512, FTW_DEPTH|FTW_PHYS)) fail();
return 0;
}