Date: Fri, 7 Apr 1995 07:30:02 -0700 From: ache@astral.msk.su To: freebsd-bugs Subject: kern/304: rm's didn't work from /etc/rc, if user set uchg/uappnd flags Message-ID: <199504071430.HAA08435@freefall.cdrom.com> In-Reply-To: Your message of Fri, 7 Apr 1995 18:23:24 %2B0400 <199504071423.SAA12556@deep-thought.demos.su>
next in thread | previous in thread | raw e-mail | index | archive | help
>Number: 304 >Category: kern >Synopsis: root rm fails, if user set uchg/uappnd flag >Confidential: no >Severity: critical >Priority: medium >Responsible: freebsd-bugs (FreeBSD bugs mailing list) >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Apr 7 07:30:01 1995 >Originator: Andrey A. Chernov; Black Mage >Organization: Astral >Release: FreeBSD 2.1.0-Development i386 >Environment: -current >Description: Any user can make even whole unremovable trees in /tmp by using uchg/uappnd bits and /etc/rc don't clean them. Basically, it can happens in any public area which needs root cleaning. All root scripts which do "rm" on user file can be easily cheated with uchg/uappnd bits, so it is potential security hole. >How-To-Repeat: From any user "chflags uchg dir" or "chflags uappnd file". >Fix: Of course, all rm -rf can be changed to call chflags before, but it is too many such places. Better way is to fix unlink() system call to protect only schg/sappnd files from root and don't protect uchg/uappnd files. I can fix it after some sort of core agreement happens. >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199504071430.HAA08435>