Symlink replacement is non-atomic (TOCTOU race window) #23

New issue

Closed

opened 2026-04-29 23:31:26 +02:00 by heiko · 0 comments

heiko commented 2026-04-29 23:31:26 +02:00

Owner

Copy link

Summary

In cmd/cert-proxy-client/cert/cert.go:233-236, the symlink update is performed as:

_ = os.Remove(name)
err = os.Symlink(filepath.Base(infixed[name]), name)

Between Remove and Symlink there is a window where:

1. Readers get ENOENT (brief unavailability of cert/key files)
2. A local attacker with write access to the directory could place a symlink pointing elsewhere

Exploitation Scenario

A local attacker races the Remove/Symlink window and creates a symlink pointing to a world-readable location. The next cert-proxy-client run writes the private key through that symlink to the attacker-controlled path. Requires write access to the certbase directory.

Recommended Fix

Use atomic symlink replacement via rename:

tmpLink := name + ".tmp"
os.Remove(tmpLink)
os.Symlink(filepath.Base(infixed[name]), tmpLink)
os.Rename(tmpLink, name)  // atomic on most filesystems

This eliminates both the ENOENT window and the race condition.

## Summary In `cmd/cert-proxy-client/cert/cert.go:233-236`, the symlink update is performed as: ```go _ = os.Remove(name) err = os.Symlink(filepath.Base(infixed[name]), name) ``` Between `Remove` and `Symlink` there is a window where: 1. Readers get `ENOENT` (brief unavailability of cert/key files) 2. A local attacker with write access to the directory could place a symlink pointing elsewhere ## Exploitation Scenario A local attacker races the Remove/Symlink window and creates a symlink pointing to a world-readable location. The next cert-proxy-client run writes the private key through that symlink to the attacker-controlled path. Requires write access to the certbase directory. ## Recommended Fix Use atomic symlink replacement via rename: ```go tmpLink := name + ".tmp" os.Remove(tmpLink) os.Symlink(filepath.Base(infixed[name]), tmpLink) os.Rename(tmpLink, name) // atomic on most filesystems ``` This eliminates both the ENOENT window and the race condition.

heiko added the

security

label 2026-04-29 23:31:26 +02:00

heiko referenced this issue from a commit 2026-04-29 23:48:22 +02:00

docs: update Known Issues and file permissions in README

heiko referenced this issue from a commit 2026-05-17 23:17:24 +02:00

fix: atomic symlink replacement in cert client

heiko referenced this issue from a pull request that will close it, 2026-05-17 23:17:41 +02:00

fix: atomic symlink replacement in cert client #34

heiko closed this issue 2026-05-18 10:07:29 +02:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

fix-35-oexcl

packaging

fix/31-reject-cn-path-separator

fix/23-atomic-symlink-replace

feature/frontmatter-svg

debian/bullseye

debian/sid

debian/buster

v1.20.0

v1.19.0

v1.18.3-0.20260429151056-d6246f587aca

v1.18.3-0.20260429150350-eeb96147f3c1

v1.18.2

1.18.1

1.18.0

1.17

debian/1.17-0

debian/1.17_RC0-1

1.17-RC0

1.16-RC1

debian/1.16-RC0-0

1.16-RC0

debian/1.15.3-2

debian/1.15.3-1

1.15.3

1.15.2

debian/1.15.1-2

debian/1.15.1-1

1.15.1

1.15

debian/1.14.1-2

debian/1.14.1-1

1.14.1

1.14

debian/1.13-1

1.13

debian/1.12-2

1.12

1.11

debian/1.10.2-2

debian/1.10.2-1

1.10.2

debian/1.10.1-1

1.10.1

1.10

debian/1.9-2

debian/1.9-1

1.9

debian/1.8-3

debian/1.8-2

debian/1.8-1

1.8

debian/1.7.1-1

1.7.1

debian/1.7-1

1.7

debian/1.6-1

1.6

debian/1.5-4

debian/1.5-3

debian/1.5-2

debian/1.5-1

1.5

1.4

1.3.1

debian/1.3-4

debian/1.3-3

debian/1.3-2

debian/1.3-1

debian/1.3-0

1.3

1.2

1.1

1.0

0.5

0.4

0.3

0.2

0.1

Labels

Clear labels   

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

mod-nag

Automated dependency scan finding

  

mod-nag

Automated dependency scan finding

  

mod-nag

Automated dependency scan finding

  

mod-nag/ignore

Ignore this mod-nag finding

  

mod-nag/ignore

Ignore this mod-nag finding

  

mod-nag/ignore

Ignore this mod-nag finding

  

nagonag

Automated dependency scan finding

  

nagonag/ignore

Ignore this nagonag finding

  

question

More information is needed

  

security

Security vulnerability or hardening

  

wontfix

This won't be fixed

No labels

bug

duplicate

enhancement

help wanted

invalid

mod-nag

mod-nag

mod-nag

mod-nag/ignore

mod-nag/ignore

mod-nag/ignore

nagonag

nagonag/ignore

question

security

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

heiko/cert-proxy#23

No description provided.