*BSD News Article 91813


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.cs.su.oz.au!metro!metro!munnari.OZ.AU!news.Hawaii.Edu!ames!enews.sgi.com!super.zippo.com!zdc!su-news-hub1.bbnplanet.com!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!newsfeed.nacamar.de!fu-berlin.de!informatik.tu-muenchen.de!lrz-muenchen.de!bos-muenchen.de!42.org!sec
From: sec@matrix.42.org (Stefan `Sec` Zehl)
Newsgroups: comp.security.unix,comp.unix.bsd.freebsd.misc
Subject: Re: Why is cleaning /tmp with find a security problem?
Date: 20 Mar 1997 17:10:15 +0100
Organization: Internet@home
Lines: 33
Message-ID: <slrn5j2ob7.mbe.sec@matrix.42.org>
References: <5gq5q6$cst@mozo.cc.purdue.edu> <5grh8m$fb0$1@pad-thai.cam.ov.com>
NNTP-Posting-Host: matrix.42.org
X-Newsreader: slrn (0.9.3.0-2 BETA UNIX)
Xref: euryale.cc.adfa.oz.au comp.security.unix:32869 comp.unix.bsd.freebsd.misc:37556

In article <5grh8m$fb0$1@pad-thai.cam.ov.com>, Jonathan I. Kamens wrote:
> In article <5gq5q6$cst@mozo.cc.purdue.edu>, ajk@schwinger.physics.purdue.edu (Andrew J. Korty) writes:
> |> From the stock /etc/daily distributed with FreeBSD:
> |> 
> |> # This is a security hole, never use 'find' on a public directory
> |> # with -exec rm -f as root.  This can be exploited to delete any file
> |> # on the system.
> |> #
> |> #find / \( ! -fstype local -o -fstype rdonly \) -a -prune -o \
> |> #   \( -name '[#,]*' -o -name '.#*' -o -name a.out -o -name '*.core' \
> |> #      -o -name '*.CKP' -o -name '.emacs_[0-9]*' \) \
> |> #       -a -atime +3 -exec rm -f -- {} \;
> |> 
> |> Why?  The first thing that comes to mind is that it has to do with
> |> symbolic links, but "find" won't follow them unless you tell it to.  Am
> |> I missing something obvious?
> 
> I suspect the comment is confused, and its author was thinking about
> a similar security problem which doesn't actually occur here.

No you are wrong :)

There is a security hole in this statement which was discussed on bugtraq
long ago - it involves a race between 'find' determing the filename
and the 'exec rm' deleting it, in the meantime you could replace
interviening directories by symlinks to delete arbitrary files ...

CU,
	Sec
-- 
Fuer die Raupe ist es das Ende der Welt,
Fuer den Rest der Welt ist es ein Schmetterling
							    Error 0: No error