Date: Tue, 24 Feb 1998 08:02:34 -0800 From: "David E. Tweten" <tweten@frihet.com> To: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca> Cc: Robert Watson <robert+freebsd@cyrus.watson.org>, freebsd-security@FreeBSD.ORG Subject: Re: Find, Rm, and Root's Crontab Message-ID: <199802241602.IAA03017@ns.frihet.com>
next in thread | raw e-mail | index | archive | help
cschuber@uumail.gov.bc.ca said: >Try the -delete flag of find. Perhaps I ought to read TFM next time ... Looks like this handles the rm half of the root-find-and-rm security hole. The original explanation featured two problems. The rm problem is that it follows directory symbolic links, even when find does not. Since find (as used for junk file cleaning) calls rm with a full path, rather than a current- directory-relative file name, a properly timed directory symbolic link insertion (after found and before rm'ed) can cause root to delete an unintended file. Since the find "-delete" option operates relative to find's current directory, it seems to me it should completely handle that part of the problem. Do you have any idea why the commented-out finds in /etc/daily haven't been changed to use "-delete" instead of "rm -f {} ;\"? >It is not atomic so a race condition, though much smaller, still exists. Care to expand on that? What is the race, and how could a cracker exploit it? The find documentation on "-delete" looks pretty safe to me. Of course, all this still leaves find vulnerable to confusion while working its way back out of a path that's been changed since find entered it. That part should be fixed in find. Is anybody working on it? -- David E. Tweten | 2047-bit PGP fingerprint: | tweten@frihet.com 12141 Atrium Drive | E9 59 E7 5C 6B 88 B8 90 | tweten@and.com Saratoga, CA 95070-3162 | 65 30 2A A4 A0 BC 49 AE | (408) 446-4131 Those who make good products sell products; those who don't, sell solutions. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199802241602.IAA03017>