From owner-freebsd-security  Fri May 25 10:44: 5 2001
Delivered-To: freebsd-security@freebsd.org
Received: from db.nexgen.com (db.nexgen.com [64.81.208.78])
	by hub.freebsd.org (Postfix) with SMTP id 0F00537B422
	for <security@freebsd.org>; Fri, 25 May 2001 10:44:02 -0700 (PDT)
	(envelope-from ml@db.nexgen.com)
Received: (qmail 8887 invoked from network); 25 May 2001 17:47:07 -0000
Received: from localhost (HELO book) (root@127.0.0.1)
  by localhost with SMTP; 25 May 2001 17:47:07 -0000
Message-ID: <001301c0e542$474fd3b0$01000001@book>
From: "alexus" <ml@db.nexgen.com>
To: "Nick Cleaton" <nick@cleaton.net>, <security@freebsd.org>
References: <20010525180354.A434@lt1.cleaton.net>
Subject: Re: 4.3 Security: local DoS via clean-tmps
Date: Fri, 25 May 2001 13:43:59 -0400
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

how can i make sure that i dont have this enabled? and if there a fix for
that?

----- Original Message -----
From: "Nick Cleaton" <nick@cleaton.net>
To: <security@freebsd.org>
Sent: Friday, May 25, 2001 1:03 PM
Subject: 4.3 Security: local DoS via clean-tmps


>
> Tested in 4.3-RELEASE only:
>
> If /etc/periodic/daily/clean-tmps is enabled, then it's possible
> for any local user to trick it into calling unlink() or rmdir()
> on anything in the root directory.
>
> The problem is that "find -delete" can be made to do chdir("..")
> multiple times followed by unlink() and/or rmdir().
>
>    588 find     CALL  chdir(0x280e227d)
>    588 find     NAMI  ".."
>    588 find     RET   chdir 0
>    588 find     CALL  chdir(0x280e227d)
>    588 find     NAMI  ".."
>    588 find     RET   chdir 0
>    588 find     CALL  chdir(0x280e227d)
>    588 find     NAMI  ".."
>    588 find     RET   chdir 0
>    588 find     CALL  chdir(0x280e227d)
>    588 find     NAMI  ".."
>    588 find     RET   chdir 0
>    588 find     CALL  unlink(0x8051440)
>    588 find     NAMI  "sys"
>
> This means it can be tricked into going up too high by moving
> its current directory higher up the hierarchy, by for example
> doing "mv /tmp/1/2/3 /tmp/4" while find's working directory is
> somewhere under "/tmp/1/2/3".
>
> The attached exploit will cause it to delete the /home -> /usr/home
> symlink.  I think this would render it impossible to log into a
> system configured for non-root ssh access via DSA key only.
>
> This could also be used to unlink other users' files in /tmp
> without regard to their age.
>
> --
> Nick Cleaton
> nick@cleaton.net
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message