Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.cs.su.oz.au!metro!metro!munnari.OZ.AU!news.Hawaii.Edu!ames!enews.sgi.com!super.zippo.com!zdc!su-news-hub1.bbnplanet.com!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!newsfeed.nacamar.de!fu-berlin.de!informatik.tu-muenchen.de!lrz-muenchen.de!bos-muenchen.de!42.org!sec From: sec@matrix.42.org (Stefan `Sec` Zehl) Newsgroups: comp.security.unix,comp.unix.bsd.freebsd.misc Subject: Re: Why is cleaning /tmp with find a security problem? Date: 20 Mar 1997 17:10:15 +0100 Organization: Internet@home Lines: 33 Message-ID: <slrn5j2ob7.mbe.sec@matrix.42.org> References: <5gq5q6$cst@mozo.cc.purdue.edu> <5grh8m$fb0$1@pad-thai.cam.ov.com> NNTP-Posting-Host: matrix.42.org X-Newsreader: slrn (0.9.3.0-2 BETA UNIX) Xref: euryale.cc.adfa.oz.au comp.security.unix:32869 comp.unix.bsd.freebsd.misc:37556 In article <5grh8m$fb0$1@pad-thai.cam.ov.com>, Jonathan I. Kamens wrote: > In article <5gq5q6$cst@mozo.cc.purdue.edu>, ajk@schwinger.physics.purdue.edu (Andrew J. Korty) writes: > |> From the stock /etc/daily distributed with FreeBSD: > |> > |> # This is a security hole, never use 'find' on a public directory > |> # with -exec rm -f as root. This can be exploited to delete any file > |> # on the system. > |> # > |> #find / \( ! -fstype local -o -fstype rdonly \) -a -prune -o \ > |> # \( -name '[#,]*' -o -name '.#*' -o -name a.out -o -name '*.core' \ > |> # -o -name '*.CKP' -o -name '.emacs_[0-9]*' \) \ > |> # -a -atime +3 -exec rm -f -- {} \; > |> > |> Why? The first thing that comes to mind is that it has to do with > |> symbolic links, but "find" won't follow them unless you tell it to. Am > |> I missing something obvious? > > I suspect the comment is confused, and its author was thinking about > a similar security problem which doesn't actually occur here. No you are wrong :) There is a security hole in this statement which was discussed on bugtraq long ago - it involves a race between 'find' determing the filename and the 'exec rm' deleting it, in the meantime you could replace interviening directories by symlinks to delete arbitrary files ... CU, Sec -- Fuer die Raupe ist es das Ende der Welt, Fuer den Rest der Welt ist es ein Schmetterling Error 0: No error