*BSD News Article 91440


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!howland.erols.net!newsxfer.itd.umich.edu!yale!oitnews.harvard.edu!purdue!mozo.cc.purdue.edu!schwinger.physics.purdue.edu!ajk
From: ajk@schwinger.physics.purdue.edu (Andrew J. Korty)
Newsgroups: comp.security.unix,comp.unix.bsd.freebsd.misc
Subject: Why is cleaning /tmp with find a security problem?
Date: 20 Mar 1997 02:01:42 GMT
Organization: Purdue University
Lines: 16
Message-ID: <5gq5q6$cst@mozo.cc.purdue.edu>
NNTP-Posting-Host: schwinger.physics.purdue.edu
Xref: euryale.cc.adfa.oz.au comp.security.unix:32761 comp.unix.bsd.freebsd.misc:37322

From the stock /etc/daily distributed with FreeBSD:

# This is a security hole, never use 'find' on a public directory
# with -exec rm -f as root.  This can be exploited to delete any file
# on the system.
#
#find / \( ! -fstype local -o -fstype rdonly \) -a -prune -o \
#   \( -name '[#,]*' -o -name '.#*' -o -name a.out -o -name '*.core' \
#      -o -name '*.CKP' -o -name '.emacs_[0-9]*' \) \
#       -a -atime +3 -exec rm -f -- {} \;

Why?  The first thing that comes to mind is that it has to do with
symbolic links, but "find" won't follow them unless you tell it to.  Am
I missing something obvious?

ajk