Date: Tue, 12 Aug 1997 21:17:15 -0600 From: John-David Childs <jdc@denver.net> To: freebsd-questions@freebsd.org Subject: Re: Please explain why this is a security hole in /etc/daily Message-ID: <19970812211715.37172@denver.net> In-Reply-To: <199708112038.WAA19822@curry.mchp.siemens.de>; from Andre Albsmeier on Mon, Aug 11, 1997 at 10:38:09PM %2B0200 References: <199708112038.WAA19822@curry.mchp.siemens.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday August 1997, Andre Albsmeier <Andre.Albsmeier@mchp.siemens.de>
had this to say about "Please explain why this is a security hole in
/etc/daily":
> Hi,
>
> using 2.2-STABLE we find the following in /etc/daily:
>
> # This is a security hole, never use 'find' on a public directory
> # with -exec rm -f as root. This can be exploited to delete any file
> # on the system.
[SNIP code]
> Please tell me, why this is so, and how I could clean /tmp securely
> since this is no longer done at startup. I have experimented a bit
> with find and symlinks but didn't find anything unsecure :-)
It has to do with a potential "race" condition...the following is
from "rough" memory and should be corrected by others if I'm wrong
The find program works in two stages...
1) traverse a specified directory looking for filenames which match the
given pattern
2) perform the specified action
Now, if you're system is very busy (deliberately or otherwise) a hacker
might replace a "good" file with a symlink to a system file (e.g.
/etc/master.passwd) during the time between step 1 and step 2...guess what
happens next if the "action" is "rm -f {} \;" :=)
--
John-David Childs (JC612) Enterprise Internet Solutions
System Administrator @denver.net/Internet-Coach/@ronan.net
& Network Engineer 901 E 17th Ave, Denver 80218
As of this^H^H^H^H next week, passwords will be entered in Morse code.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970812211715.37172>