Re: TOCTOU bug in make(1)

[Mario Campos <mario.andres.campos%gmail.com@localhost>]

On Thu, Oct 6, 2022 at 3:52 PM Joerg Sonnenberger <joerg%bec.de@localhost> wrote:
>
> Am Thu, Oct 06, 2022 at 08:05:51PM +0000 schrieb David Holland:
> > On Thu, Oct 06, 2022 at 09:43:35PM +0200, Joerg Sonnenberger wrote:
> >  > > I ran CodeQL, a SAST tool, against trunk. It found a TOCTOU vulnerability
> >  > > in the `unlink_file` function of make(1). The function is a small wrapper
> >  > > over unlink(2), but it first checks that the file exists using lstat(2).
> >  > > Although I don't see an immediate danger here, I admit I'm not
> >  > > very imaginative for vulnerabilities.
> >  >
> >  > This is necessary for historic reasons because old UNIX systems allows
> >  > unlink(2) on directories with bad consequences.
> >
> > Also, even if unlink() on a directory actually results in a correct
> > rmdir, changing the behavior of that function so that delete-target-
> > on-error sometimes removes directories and sometimes doesn't,
> > depending on the OS or even on the filesystem in use, doesn't seem
> > like a good idea.
>
> Actually, the correct and expected behavior is that it fails on
> directories. unlink and rmdir are supposed to be symmetrical in that
> regard.
>
> Joerg

Many good points. I especially agree that there is likely no
vulnerability here, as make is designed to execute arbitrary code --
fair enough.

I think a comment explaining any historical reasoning always sounds
like a good idea, but I'll leave that for someone else to decide.

Thanks