From owner-cvs-all Tue Aug 8 15:24:56 2000 Delivered-To: cvs-all@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 907DC37B675; Tue, 8 Aug 2000 15:24:53 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id PAA96145; Tue, 8 Aug 2000 15:24:52 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Tue, 8 Aug 2000 15:24:52 -0700 (PDT) From: Kris Kennaway To: Brian Somers Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/etc rc In-Reply-To: <200008081330.GAA56454@freefall.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, 8 Aug 2000, Brian Somers wrote: > brian 2000/08/08 06:30:28 PDT > > Modified files: > etc rc > Log: > Don't use find(1) before nfs filesystems have been mounted as > it lives in /usr/bin. Instead, locate files manually. > > Note, only *files* under /var/spool/lock are now deleted rather > than everything that's not a directory. I think this is more > correct, but if anyone disagrees please feel free to change it. This is vulnerable to filenames with spaces in them and the like. Granted, the directory is not world-writable, but we've had several "group dialer" or "user uucp" exploits in ports. morden# ls -ld /var/spool/lock drwxrwxr-x 2 uucp dialer 512 Aug 8 14:26 /var/spool/lock Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message