File::Path Security: History and Current Status



James E Keenan

Philadelphia.pm
Philadelphia, PA
September 11 2017


Table of Contents

1. Introduction
2. The Basic Problem
3. What's My Role?

4. Before File::Path::rmtree: [[rm -rf]]
5. What Do the Experts Say? FreeBSD (10.3)
6. What Do the Experts Say? Linux (GNU coreutils 8.5)
7. Interaction between rm -rf and Directory Permissions
8. Test program rm-rf-no-file.t
9. Test program rm-rf-no-file.t (continued 1)
10. Test program rm-rf-no-file.t (continued 2)
11. Test program rm-rf-no-file.t (continued 3)
12. Why Did I Succeed?
13. A More Complex Case: rm-rf-with-file.t
14. A More Complex Case: rm-rf-with-file.t (continued 1)
15. A More Complex Case: rm-rf-with-file.t (continued 2)
16. A More Complex Case: rm-rf-with-file.t (continued 3)
17. A More Complex Case: rm-rf-with-file.t (continued 4)
18. A More Complex Case: rm-rf-with-file.t (continued 5)
19. A More Complex Case: rm-rf-with-file.t (continued 6)
20. A More Complex Case: rm-rf-with-file.t (continued 7)
21. A More Complex Case: rm-rf-with-file.t (continued 8)
22. Summary of Interaction between Directory Permissions and rm -rf

23. Recursive Removal of Trees in Perl
24. File::Path: A Tumultuous History
25. File::Path::rmtree(): Interface 1
26. File::Path::rmtree(): Interface 1: Use of Positional Parameters Is Suboptimal
27. File::Path::rmtree(): Interface 2
28. File::Path::rmtree(): Critique of Interface 2
29. File::Path::remove_tree(): Interface 3
30. Why I'll Be Using Interface 1 in This Presentation

31. File::Path::rmtree: History of a Function
32. In the Beginning
33. Running the Earliest Version of rmtree()
34. Running the Earliest Version of rmtree() (continued 1)
35. Running the Earliest Version of rmtree() (continued 2)
36. Earliest Version of rmtree() Works Same as rm -rf
37. But What About "Safety"?
38. But What Did "Safety" Mean?
39. "Traditional" rmtree() Was Not the Original rmtree
40. "Traditional" rmtree() Example
41. "Traditional" rmtree() Example (continued 1)
42. "Traditional" rmtree() Example (continued 2)
43. When and How Did "Traditional" rmtree() Get Its Superpowers?
44. When and How Did "Traditional" rmtree() Get Its Superpowers? (continued)
45. Why Was "Traditional" rmtree() Given Superpowers?
46. Why Was "Traditional" rmtree() Given Superpowers? (continued)
47. Why Was "Traditional" rmtree() Given Superpowers? (continued 2)
48. Secure Syntax Should Be Simpler Than Insecure
49. A Major Design Flaw in 1997
50. And a Process Flaw as Well
51. Let's Catch Our Breath

52. Security Vulnerability
53. TOCTTOU in File::Path::rmtree() Version 2.12
54. TOCTTOU in File::Path::rmtree() Version 2.12 (continued 1)
55. TOCTTOU in File::Path::rmtree() Version 2.12 (continued 2)
56. TOCTTOU in File::Path::rmtree() Version 2.12 (continued 3)
57. TOCTTOU in File::Path::rmtree() Version 2.12 (continued 4)
58. TOCTTOU in File::Path::rmtree() Version 2.12 (continued 5)

59. The 2017 Security Vulnerability
60. File::Path::rmtree(): 2017 Vulnerability Addressed
61. What Will Be the Impact of Changes in Version 2.14?
62. Impact of Version 2.14 Changes: Test Program
63. Impact of Version 2.14 Changes: Test Program (continued 1)
64. Impact of Version 2.14 Changes: Test Program (continued 2)
65. Impact of Version 2.14 Changes: Test Program (continued 3)
66. Impact of Version 2.14 Changes: Assessment
67. Remediation for Version 2.14 Changes
68. Remediation for Version 2.14 Changes (continued)
69. Version 2.14 Changes: rmtree() Is Still Quite Powerful
70. Version 2.14 Changes: Impact on File::Temp::tempdir()
71. Version 2.14 Changes: Impact on File::Temp::tempdir() (continued)
72. Version 2.14 Changes: Impact on CPAN.pm

73. Summary

74. Bonus Slides

75. A Primer on File and Directory Permissions
76. File Permissions: Absolute Notation
77. What Is a Directory?
78. What Are Directory Permissions?
79. read Permissions on a Directory
80. read Permissions on a Directory: Example
81. read Permissions on a Directory: Example (continued 1)
82. read Permissions on a Directory: Example (continued 2)
83. write Permissions on a Directory
84. write Permissions on a Directory: Example
85. write Permissions on a Directory: Example (continued 1)
86. write Permissions on a Directory: Example (continued 2)
87. write Permissions on a Directory: Example (continued 3)
88. execute Permissions on a Directory
89. execute Permissions on a Directory: What Do the Experts Say?
90. execute Permissions on a Directory: Example
91. execute Permissions on a Directory: Example (continued 1)

92. [[rm -rf]] versus [[rm -r]]
93. rm -rf versus rm -r: Which Should I Use?

94. John Lightsey on [[rm -r]]

95. File::Path::rmtree: A History of Security Vulnerabilities
96. File::Path::rmtree() 1.99_01: Documentation of Race Conditions
97. File::Path::rmtree() 2.01: Acknowledgment of Race Conditions
98. File::Path::rmtree(): Multiple CVEs
99. The End