Bugtraq mailing list archives
Re: [linux-security] Things NOT to put in root's crontab
From: jmg () students si fct unl pt (Jorge Guilherme)
Date: Thu, 30 May 1996 17:56:36 +0200
There is another problem with rm. On Tue, 21 May 1996, Zygo Blaxell wrote:
From Redhat's /etc/crontab file: 43 02 * * * root find /var/tmp/* -atime +3 -exec rm -f {} \; 2> /dev/null* PROBLEM DISCUSSION AND EXPLOITATION The immediate security problem is that 'rm' doesn't check that components of the directory name are not symlinks. This means that you
That's right. The main point is that it's a rm problem.
* FIXES The easiest way to fix this is to get rid of the find/rm stuff completely. If you need a garbage collector, try our LRU garbage collection daemon at the URL given below.
The best way (IMO) is to do a new rm.
rm -f ./passwd which is secure as long as '.' isn't in your PATH. Note the leading './' to prevent rm from interpreting the filename as a parameter.
If you use 'rm -f -- passwd' the file name won't be interpreted as a parameter. '--' is the GNU standard for disabling any further option processing. And now for some more bad news: Imagine a 'find /tmp |xargs rm -f --'. To exploit this one you NEED NO RACE condition. All that needs to be done is to create a directory called ' ' (Yeap, that's a single space) and inside it create another one called 'etc'and inside that one do a 'touch passwd'. xargs will see the name of the directory ' ' as a field separator and will pass to rm the argument '/etc/passwd'. There are more variations on this one lurking to the unaware administrator, like when the output of find is sent to a file, something like 'find /tmp > rm.list' and then the administrator would edit the file to remove some files or directories that he didn't want deleted and then do a 'xargs rm -f -- < rm.list' or 'rm -f -- `cat rm.list`' . .::::. | | \\ // \\// \\ Jorge Guilherme //\\ |/ \\ ~' Blue
Current thread:
- Re: [linux-security] Things NOT to put in root's crontab Paul Szabo (May 29)
- <Possible follow-ups>
- Re: [linux-security] Things NOT to put in root's crontab Jorge Guilherme (May 30)
- Re: [linux-security] Things NOT to put in root's crontab Allen Wheelwright (Jun 03)
- Re: [linux-security] Things NOT to put in root's crontab Valdis.Kletnieks () vt edu (Jun 03)
- Re: [linux-security] Things NOT to put in root's crontab Allen Wheelwright (Jun 03)