Fix security vulnerability: restore ownership validation in mkdir_owned_root#1047
Open
mlim19 wants to merge 1 commit into
Open
Fix security vulnerability: restore ownership validation in mkdir_owned_root#1047mlim19 wants to merge 1 commit into
mlim19 wants to merge 1 commit into
Conversation
…ed_root Remove erroneous unconditional return statement that was accidentally introduced in commit 5285bef, which made the ownership validation code unreachable (dead code). This regression allowed a local privilege escalation attack where a low-privilege user could pre-create the temp directory before gProfiler runs as root, bypassing the ownership check that should have removed and recreated it as root-owned. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This pull request removes an unintended early return in mkdir_owned_root() so that root ownership validation is no longer unreachable, restoring the intended protection against using attacker-precreated temp directories when running as root.
Changes:
- Removed an unconditional
returnthat made ownership validation dead code inmkdir_owned_root().
Comments suppressed due to low confidence (1)
gprofiler/utils/fs.py:126
mkdir_owned_root()currently treats any existing path as a candidate directory and (after this change) willrmtree()it wheneveris_root()is false, which can break rootless runs (e.g. Java profiler__enter__calls this even when not root). Also, the ownership checks usePath.stat()(follows symlinks), so a user-controlled symlink to a root-owned directory can bypass the validation and later cause writes into an unintended location. Consider handling non-root as a non-destructive “ensure exists & writable” path and explicitly rejecting/removing symlinks/non-directories when running as root.
if path.exists():
if is_root() and is_owned_by_root(path):
return
shutil.rmtree(path)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
dkorlovs
approved these changes
Jul 2, 2026
Contributor
|
@mlim19 do we go through this flow in case of " java profiling without root privilege"? If yes, then correct way to implement it, is to check that user who run gprofiler and owner of directory are the same, i.e. check not only root. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
returnstatement inmkdir_owned_root()that made ownership validation unreachable (dead code)Background
Commit
5285bef7("Support java profiling without root privilege in a container #987") accidentally introduced an unconditionalreturnstatement that bypassed the ownership validation logic:This regression created a local privilege escalation vulnerability where a low-privilege attacker could pre-create
/tmp/gprofiler_tmpbefore gProfiler runs as root. The ownership check that should remove and recreate non-root-owned directories was bypassed.Test plan
mkdir_owned_root()removes non-root-owned directories when running as root/tmp/gprofiler_tmpas non-root user, run gProfiler as root, verify directory is recreated as root-owned🤖 Generated with Claude Code