heiko/cert-proxy
1
0
Fork 0
Code Issues 5 Pull requests Releases 6 Activity Actions

Symlink replacement is non-atomic (TOCTOU race window) #23

New issue
Open
opened 2026-04-29 23:31:26 +02:00 by heiko · 0 comments
heiko commented 2026-04-29 23:31:26 +02:00
Owner
Copy link

Summary

In cmd/cert-proxy-client/cert/cert.go:233-236, the symlink update is performed as:

_ = os.Remove(name)
err = os.Symlink(filepath.Base(infixed[name]), name)

Between Remove and Symlink there is a window where:

  1. Readers get ENOENT (brief unavailability of cert/key files)
  2. A local attacker with write access to the directory could place a symlink pointing elsewhere

Exploitation Scenario

A local attacker races the Remove/Symlink window and creates a symlink pointing to a world-readable location. The next cert-proxy-client run writes the private key through that symlink to the attacker-controlled path. Requires write access to the certbase directory.

Recommended Fix

Use atomic symlink replacement via rename:

tmpLink := name + ".tmp"
os.Remove(tmpLink)
os.Symlink(filepath.Base(infixed[name]), tmpLink)
os.Rename(tmpLink, name)  // atomic on most filesystems

This eliminates both the ENOENT window and the race condition.

## Summary In `cmd/cert-proxy-client/cert/cert.go:233-236`, the symlink update is performed as: ```go _ = os.Remove(name) err = os.Symlink(filepath.Base(infixed[name]), name) ``` Between `Remove` and `Symlink` there is a window where: 1. Readers get `ENOENT` (brief unavailability of cert/key files) 2. A local attacker with write access to the directory could place a symlink pointing elsewhere ## Exploitation Scenario A local attacker races the Remove/Symlink window and creates a symlink pointing to a world-readable location. The next cert-proxy-client run writes the private key through that symlink to the attacker-controlled path. Requires write access to the certbase directory. ## Recommended Fix Use atomic symlink replacement via rename: ```go tmpLink := name + ".tmp" os.Remove(tmpLink) os.Symlink(filepath.Base(infixed[name]), tmpLink) os.Rename(tmpLink, name) // atomic on most filesystems ``` This eliminates both the ENOENT window and the race condition.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
debian/bullseye
debian/sid
debian/buster
v1.19.0
v1.18.3-0.20260430111455-ee25acfa3a4f
v1.18.3-0.20260430095055-71602abfde05
v1.18.3-0.20260429214741-438e284e58b6
v1.18.3-0.20260429195939-584f77bb4bf7
v1.18.3-0.20260429151056-d6246f587aca
v1.18.3-0.20260429150350-eeb96147f3c1
v1.18.2
1.18.1
1.18.0
1.17
debian/1.17-0
debian/1.17_RC0-1
1.17-RC0
1.16-RC1
debian/1.16-RC0-0
1.16-RC0
debian/1.15.3-2
debian/1.15.3-1
1.15.3
1.15.2
debian/1.15.1-2
debian/1.15.1-1
1.15.1
1.15
debian/1.14.1-2
debian/1.14.1-1
1.14.1
1.14
debian/1.13-1
1.13
debian/1.12-2
1.12
1.11
debian/1.10.2-2
debian/1.10.2-1
1.10.2
debian/1.10.1-1
1.10.1
1.10
debian/1.9-2
debian/1.9-1
1.9
debian/1.8-3
debian/1.8-2
debian/1.8-1
1.8
debian/1.7.1-1
1.7.1
debian/1.7-1
1.7
debian/1.6-1
1.6
debian/1.5-4
debian/1.5-3
debian/1.5-2
debian/1.5-1
1.5
1.4
1.3.1
debian/1.3-4
debian/1.3-3
debian/1.3-2
debian/1.3-1
debian/1.3-0
1.3
1.2
1.1
1.0
0.5
0.4
0.3
0.2
0.1
Labels
Clear labels   
bug
Something is not working

  
duplicate
This issue or pull request already exists

  
enhancement
New feature

  
help wanted
Need some help

  
invalid
Something is wrong

  
question
More information is needed

  
security
Security vulnerability or hardening

  
wontfix
This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
invalid
question
security
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
heiko/cert-proxy#23
No description provided.