*BSD News Article 91665


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.cs.su.oz.au!metro!metro!munnari.OZ.AU!news.Hawaii.Edu!ames!enews.sgi.com!news.sgi.com!howland.erols.net!newsxfer3.itd.umich.edu!bloom-beacon.mit.edu!pad-thai.cam.ov.com!not-for-mail
From: jik@cam.ov.com (Jonathan I. Kamens)
Newsgroups: comp.security.unix,comp.unix.bsd.freebsd.misc
Subject: Re: Why is cleaning /tmp with find a security problem?
Date: 20 Mar 1997 14:23:18 GMT
Organization: OpenVision Technologies, Inc.
Lines: 50
Message-ID: <5grh8m$fb0$1@pad-thai.cam.ov.com>
References: <5gq5q6$cst@mozo.cc.purdue.edu>
NNTP-Posting-Host: gza-client1.cam.ov.com
X-newsreader: xrn 8.03-beta-24
Xref: euryale.cc.adfa.oz.au comp.security.unix:32867 comp.unix.bsd.freebsd.misc:37553

In article <5gq5q6$cst@mozo.cc.purdue.edu>, ajk@schwinger.physics.purdue.edu (Andrew J. Korty) writes:
|> From the stock /etc/daily distributed with FreeBSD:
|> 
|> # This is a security hole, never use 'find' on a public directory
|> # with -exec rm -f as root.  This can be exploited to delete any file
|> # on the system.
|> #
|> #find / \( ! -fstype local -o -fstype rdonly \) -a -prune -o \
|> #   \( -name '[#,]*' -o -name '.#*' -o -name a.out -o -name '*.core' \
|> #      -o -name '*.CKP' -o -name '.emacs_[0-9]*' \) \
|> #       -a -atime +3 -exec rm -f -- {} \;
|> 
|> Why?  The first thing that comes to mind is that it has to do with
|> symbolic links, but "find" won't follow them unless you tell it to.  Am
|> I missing something obvious?

I suspect the comment is confused, and its author was thinking about
a similar security problem which doesn't actually occur here.

Cleanup commands of this sort in crontabs used to be in the form "find
... -print | xargs rm -f".  That *is* a security hole, because an
attacker can create a filename with a newline in it and cause xargs to
treat everything after the newline as a separate argument to rm.  For
example:

> cd /tmp
> touch 'foo\^Jbar'
> find . -name 'foo*' -print
./foo
bar
> find . -name 'foo*' -print | xargs ls
./foo not found
bar not found
> find . -name 'foo*' -ok rm {} \;
< rm ... ./foo
bar >?   y
> 

The ramifications of this are left as an exercise to the reader.

The solution to this security hole is either (a) use a version of find
that supports "-print0" and a version of xargs that supports "-0", so
that newline is no longer the separator, since it's impossible for a
user to create a filename with a null in it, or (b) use -exec as shown
in the command above instead of -print piped into xargs.  Since the
command commented out above uses -exec, I don't think it's a security
problem.

-- 
Jonathan Kamens  |  OpenVision Technologies, Inc.  |   jik@cam.ov.com