From owner-freebsd-questions Tue Aug 12 20:06:18 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id UAA13991 for questions-outgoing; Tue, 12 Aug 1997 20:06:18 -0700 (PDT) Received: from milehigh.denver.net (milehigh.denver.net [204.144.180.2]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA13985 for ; Tue, 12 Aug 1997 20:06:11 -0700 (PDT) Received: (from jdc@localhost) by milehigh.denver.net (8.8.5/8.8.5) id VAA05687; Tue, 12 Aug 1997 21:17:15 -0600 (MDT) Message-ID: <19970812211715.37172@denver.net> Date: Tue, 12 Aug 1997 21:17:15 -0600 From: John-David Childs To: freebsd-questions@freebsd.org Subject: Re: Please explain why this is a security hole in /etc/daily References: <199708112038.WAA19822@curry.mchp.siemens.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.79 In-Reply-To: <199708112038.WAA19822@curry.mchp.siemens.de>; from Andre Albsmeier on Mon, Aug 11, 1997 at 10:38:09PM +0200 Organization: Enterprise Internet Solutions Sender: owner-freebsd-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Monday August 1997, Andre Albsmeier had this to say about "Please explain why this is a security hole in /etc/daily": > Hi, > > using 2.2-STABLE we find the following in /etc/daily: > > # This is a security hole, never use 'find' on a public directory > # with -exec rm -f as root. This can be exploited to delete any file > # on the system. [SNIP code] > Please tell me, why this is so, and how I could clean /tmp securely > since this is no longer done at startup. I have experimented a bit > with find and symlinks but didn't find anything unsecure :-) It has to do with a potential "race" condition...the following is from "rough" memory and should be corrected by others if I'm wrong The find program works in two stages... 1) traverse a specified directory looking for filenames which match the given pattern 2) perform the specified action Now, if you're system is very busy (deliberately or otherwise) a hacker might replace a "good" file with a symlink to a system file (e.g. /etc/master.passwd) during the time between step 1 and step 2...guess what happens next if the "action" is "rm -f {} \;" :=) -- John-David Childs (JC612) Enterprise Internet Solutions System Administrator @denver.net/Internet-Coach/@ronan.net & Network Engineer 901 E 17th Ave, Denver 80218 As of this^H^H^H^H next week, passwords will be entered in Morse code.