shared.Mkdir: os.Stat follows symlinks, allows redirect of cert file writes #36

New issue

Closed

opened 2026-05-18 08:32:28 +02:00 by heiko · 2 comments

heiko commented

2026-05-18 08:32:28 +02:00

Owner

Summary

internal/shared/mkdir.go:13 uses os.Stat (symlink-following) in the EEXIST fallback:

err := os.Mkdir(dir, 0777)
if err != nil && os.IsExist(err) {
    stat, err := os.Stat(dir)   // follows symlinks
    if err != nil { return err }
    if stat.IsDir() { return nil }
}

Between os.Mkdir returning EEXIST and os.Stat running, a local attacker with write access to the certbase parent can replace the domain directory with a symlink pointing to an arbitrary directory. os.Stat follows the symlink, sees a directory, and returns nil. All subsequent cert and private key writes go to the attacker-controlled path.

Fix

Use os.Lstat instead of os.Stat so the check applies to the directory entry itself, not its target:

stat, err := os.Lstat(dir)

Or replace the whole function with os.MkdirAll, which is race-safe for the common case.

## Summary `internal/shared/mkdir.go:13` uses `os.Stat` (symlink-following) in the EEXIST fallback: ```go err := os.Mkdir(dir, 0777) if err != nil && os.IsExist(err) { stat, err := os.Stat(dir) // follows symlinks if err != nil { return err } if stat.IsDir() { return nil } } ``` Between `os.Mkdir` returning EEXIST and `os.Stat` running, a local attacker with write access to the certbase parent can replace the domain directory with a symlink pointing to an arbitrary directory. `os.Stat` follows the symlink, sees a directory, and returns nil. All subsequent cert and private key writes go to the attacker-controlled path. ## Fix Use `os.Lstat` instead of `os.Stat` so the check applies to the directory entry itself, not its target: ```go stat, err := os.Lstat(dir) ``` Or replace the whole function with `os.MkdirAll`, which is race-safe for the common case.

heiko added the

security

label

2026-05-18 08:32:28 +02:00

heiko commented

2026-05-22 00:05:15 +02:00

Author

Owner

Confirmed. internal/shared/mkdir.go:13 does os.Stat, which follows symlinks. An attacker with write access to the certbase parent can replace a domain directory with a symlink between the os.Mkdir EEXIST return and the os.Stat call; cert and private key writes then go to the symlink target.

Fix: os.Lstat — one-liner, makes the stat apply to the entry itself rather than its target. If a symlink is sitting there, stat.IsDir() returns false and we bubble an error rather than silently writing through it.

os.MkdirAll is an alternative but changes the semantics (creates intermediate dirs, not just one level); keeping os.Mkdir + os.Lstat is the minimal correct fix.

— 🤖 Generated with Claude Code (claude-sonnet-4-6)

Confirmed. `internal/shared/mkdir.go:13` does `os.Stat`, which follows symlinks. An attacker with write access to the certbase parent can replace a domain directory with a symlink between the `os.Mkdir` EEXIST return and the `os.Stat` call; cert and private key writes then go to the symlink target. Fix: `os.Lstat` — one-liner, makes the stat apply to the entry itself rather than its target. If a symlink is sitting there, `stat.IsDir()` returns false and we bubble an error rather than silently writing through it. `os.MkdirAll` is an alternative but changes the semantics (creates intermediate dirs, not just one level); keeping `os.Mkdir` + `os.Lstat` is the minimal correct fix. — 🤖 Generated with Claude Code (claude-sonnet-4-6)

heiko referenced this issue from a commit

2026-05-22 00:27:32 +02:00

test: add regression for #36 ai:claude-sonnet-4-6

heiko referenced this issue from a commit

2026-05-22 00:27:32 +02:00

fix: Lstat in Mkdir rejects symlink-to-dir ai:claude-sonnet-4-6

heiko referenced this issue from a pull request that will close it,

2026-05-22 00:27:45 +02:00

fix: Lstat in Mkdir rejects symlink-to-dir #40

heiko referenced this issue

2026-05-22 00:44:59 +02:00

fix: Lstat in Mkdir rejects symlink-to-dir #40