Opened 7 years ago
#17927 new defect
VBoxLinuxAdditions.run --target is dangerous if dir exists (possible data loss)
| Reported by: | Hagge | Owned by: | |
|---|---|---|---|
| Component: | guest additions | Version: | VirtualBox 5.2.16 |
| Keywords: | Possible data loss | Cc: | |
| Guest type: | Linux | Host type: | all |
Description
Running VBoxLinuxAdditions.run usually creates a directory in /tmp. But running this script with option --target <dir> is very dangerous, if the directory <dir> already exists. This may result in a possible large data loss! The script more or less does:
- mkdir <dir>
- [extract several files to <dir>]
- chown -R <currentuser>:<currentuser> <dir>
- [build and install drivers]
- rm -rf <dir>
Now imagine you call this with the home directory as argument.
sudo ./VBoxLinuxAdditions.run --target ~
- This is a no-op, the home directory already exists.
- This will extract files all across the home directory. Bad idea!
- This will transfer ownership of *all* files in user's home directory (including the directory itself) to root. Very bad idea!!!
- [not relevant]
- This will remove the whole home directory. Totally unacceptable!!!
This is a grossly negligent, even fatal script design!!!!
If you want to do it this way, then there *must* be a check if the target directory <dir> already exists and the script must fail with an error if so.
Note:
See TracTickets
for help on using tickets.
