From owner-freebsd-security  Wed May 22 08:22:38 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id IAA03265
          for security-outgoing; Wed, 22 May 1996 08:22:38 -0700 (PDT)
Received: from GndRsh.aac.dev.com (GndRsh.aac.dev.com [198.145.92.241])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id IAA03256
          for <freebsd-security@freebsd.org>; Wed, 22 May 1996 08:22:30 -0700 (PDT)
Received: (from rgrimes@localhost) by GndRsh.aac.dev.com (8.6.12/8.6.12) id IAA14176; Wed, 22 May 1996 08:21:47 -0700
From: "Rodney W. Grimes" <rgrimes@GndRsh.aac.dev.com>
Message-Id: <199605221521.IAA14176@GndRsh.aac.dev.com>
Subject: Re: [linux-security] Things NOT to put in root's crontab (fwd)
To: beurton@fnet.fr (Luc Beurton)
Date: Wed, 22 May 1996 08:21:47 -0700 (PDT)
Cc: freebsd-security@freebsd.org
In-Reply-To: <199605221024.LAA00905@nil.fnet.fr> from Luc Beurton at "May 22, 96 11:24:56 am"
X-Mailer: ELM [version 2.4ME+ PL11 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

...

> #
> #/etc/rc is not the problem, /etc/*ly is:
> #SkyRsh# grep exec /etc/*ly
> #/etc/daily:     find . ! -name . -mtime +7 -exec rm -f -- {} \; ; }
> #                                           ^^^^^^^^^^^
> #/etc/daily:     find . ! -name . -mtime +7 -exec rm -f -- {} \; ; }
> #                                           ^^^^^^^^^^^
> #/etc/daily:#            -a -atime +3 -exec rm -f -- {} \;
> #                                     ^^^^^^^^^^^
> #/etc/weekly:PATH=/bin:/sbin:/usr/sbin:/usr/bin:/usr/libexec
> #/etc/weekly:#find /usr/src -name '*.o' -atime +21 -print -a -exec rm -f {} \;
> #                                                             ^^^^^^^^^^^
> #/etc/weekly:echo /usr/libexec/locate.updatedb | nice -5 su -m nobody 2>&1 |\
> 
> '-exec rm -f' is not a probleme because:
> only /var/tmp/etc (the symbolic link) will be removed

Read the LONG post very carefully.  There is a potential race condition
by using a combination attack of LOTS of directories in /tmp with LOTS
of symbolic links.  If you switch between a dir and link at the right time
it will be followed due to delays betweeen the find execution and the exec'ing
of rm -f.

> 
> I think ,the real probleme is to use the flags `-r' because rm
> follow the symbolic link.

rm -r will not follow a symbolic link, any more than find will.  You may
be able to spoof rm -r with the same type of attach, that I don't know.


-- 
Rod Grimes                                      rgrimes@gndrsh.aac.dev.com
Accurate Automation Company                 Reliable computers for FreeBSD