Skip to content

Fix security vulnerability: restore ownership validation in mkdir_owned_root#1047

Open
mlim19 wants to merge 1 commit into
masterfrom
fix_bug_remove_deadcode
Open

Fix security vulnerability: restore ownership validation in mkdir_owned_root#1047
mlim19 wants to merge 1 commit into
masterfrom
fix_bug_remove_deadcode

Conversation

@mlim19

@mlim19 mlim19 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Remove erroneous unconditional return statement in mkdir_owned_root() that made ownership validation unreachable (dead code)
  • Restores the security check that ensures temp directories are root-owned before use

Background

Commit 5285bef7 ("Support java profiling without root privilege in a container #987") accidentally introduced an unconditional return statement that bypassed the ownership validation logic:

if path.exists():
    return                                    # <- BUG: makes code below unreachable
    if is_root() and is_owned_by_root(path):  # <- Dead code
        return
    shutil.rmtree(path)                       # <- Never executed

This regression created a local privilege escalation vulnerability where a low-privilege attacker could pre-create /tmp/gprofiler_tmp before gProfiler runs as root. The ownership check that should remove and recreate non-root-owned directories was bypassed.

Test plan

  • Verify mkdir_owned_root() removes non-root-owned directories when running as root
  • Run existing unit tests
  • Manual test: create /tmp/gprofiler_tmp as non-root user, run gProfiler as root, verify directory is recreated as root-owned

🤖 Generated with Claude Code

…ed_root

Remove erroneous unconditional return statement that was accidentally
introduced in commit 5285bef, which made the ownership validation
code unreachable (dead code).

This regression allowed a local privilege escalation attack where a
low-privilege user could pre-create the temp directory before gProfiler
runs as root, bypassing the ownership check that should have removed
and recreated it as root-owned.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings July 1, 2026 20:30
@mlim19 mlim19 requested a review from dkorlovs July 1, 2026 20:31

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request removes an unintended early return in mkdir_owned_root() so that root ownership validation is no longer unreachable, restoring the intended protection against using attacker-precreated temp directories when running as root.

Changes:

  • Removed an unconditional return that made ownership validation dead code in mkdir_owned_root().
Comments suppressed due to low confidence (1)

gprofiler/utils/fs.py:126

  • mkdir_owned_root() currently treats any existing path as a candidate directory and (after this change) will rmtree() it whenever is_root() is false, which can break rootless runs (e.g. Java profiler __enter__ calls this even when not root). Also, the ownership checks use Path.stat() (follows symlinks), so a user-controlled symlink to a root-owned directory can bypass the validation and later cause writes into an unintended location. Consider handling non-root as a non-destructive “ensure exists & writable” path and explicitly rejecting/removing symlinks/non-directories when running as root.
    if path.exists():
        if is_root() and is_owned_by_root(path):
            return

        shutil.rmtree(path)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@dkorlovs

dkorlovs commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

@mlim19 do we go through this flow in case of " java profiling without root privilege"? If yes, then correct way to implement it, is to check that user who run gprofiler and owner of directory are the same, i.e. check not only root.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants