uutils coreutils mv Utility Ownership Preservation Vulnerability

A vulnerability exists in the mv utility of uutils coreutils, where file ownership is not preserved during moves across different filesystem boundaries. Instead of maintaining the source metadata, the utility reverts to a copy-and-delete method that assigns the destination file to the caller's UID/GID. This issue disrupts backups and file migrations, causing files moved by privileged users, such as root, to be incorrectly owned by root. Such ownership changes can lead to unauthorized access or information disclosure for the intended file owners.

Impact

The vulnerability causes files moved by the root user across different filesystems to lose their original ownership, resulting in unintended root ownership. This flaw can disrupt administrative scripts, backups, and file migrations that rely on the mv command to preserve metadata, similar to how an in-filesystem rename would.

Reproduction

To reproduce this vulnerability, create a test file and change its ownership to a non-root user. Then, mount a temporary filesystem and use the mv command to move the file to the mounted filesystem. After unmounting, check the file's ownership on the destination, which will incorrectly show root as the owner instead of the original user.

Remediation

Users can update to the latest version of uutils coreutils, where this issue has been addressed. Instructions for downloading the updated version are available on the uutils coreutils GitHub page.