Time of Check Time of Use (TOCTOU)

Affecting chownr package, versions <0.0.0

low severity


This was deemed not a vulnerability.


chownr is a package that takes the same arguments as fs.chown()

Affected versions of this package are vulnerable to Time of Check Time of Use (TOCTOU).

Information: Maintainers Advice

There is no readdir that will succeed on actual directories, and fail on symlinks to directories. The basic flow would be:

1) Read a directory, get a list of items 2) One of those items is a directory 3) After the initial readdir (or readdir+lstat), but before the directory traversal, an attacker moves the directory aside and replaces it with a symbolic link to some other directory. 4) The script will proceed to change ownership of all items in the symlink target directory.

There is no readdir(3) call that will succeed on a "real" directory, but fail on a symbolic link to a directory. What that means is that there is no atomic way to verify that, at the exact time of reading a directory, it's a real directory and not a symlink to somewhere else.

That being the case there will always be a TOCTOU issue for any recursive filesystem operation that traverses directories making changes at each level.


There is no fixed version for chownr.


Do your applications use this vulnerable package?

Jeff Epler
Snyk ID
31 Jul, 2018
11 Jan, 2019