Re: [linux-security] Things NOT to put in root's crontab

[jmg () students si fct unl pt (Jorge Guilherme)]

 There is another problem with rm.

On Tue, 21 May 1996, Zygo Blaxell wrote:

> > From Redhat's /etc/crontab file:
> > 43 02 * * * root find /var/tmp/* -atime +3 -exec rm -f {} \; 2> /dev/null
> * PROBLEM DISCUSSION AND EXPLOITATION
> The immediate security problem is that 'rm' doesn't check that
> components of the directory name are not symlinks.  This means that you
 That's right. The main point is that it's a rm problem.

> * FIXES
> The easiest way to fix this is to get rid of the find/rm stuff
> completely.  If you need a garbage collector, try our LRU garbage
> collection daemon at the URL given below.
 The best way (IMO) is to do a new rm.

>       rm -f ./passwd
>
> which is secure as long as '.' isn't in your PATH.  Note the leading
> './' to prevent rm from interpreting the filename as a parameter.
 If you use 'rm -f -- passwd' the file name won't be interpreted as a
parameter. '--' is the GNU standard for disabling any further option
processing.

 And now for some more bad news:
Imagine a 'find /tmp |xargs rm -f --'. To exploit this one you NEED NO
RACE condition. All that needs to be done is to create a directory called
' ' (Yeap, that's a single space) and inside it create another one called
'etc'and inside that one do a 'touch passwd'.
 xargs will see the name of the directory ' ' as a field separator and
will pass to rm the argument '/etc/passwd'.

 There are more variations on this one lurking to the unaware
administrator, like when the output of find is sent to a file, something
like 'find /tmp > rm.list' and then the administrator would edit the file
to remove some files or directories that he didn't want deleted and then
do a  'xargs rm -f -- < rm.list'  or  'rm -f -- `cat rm.list`'  .



.::::.
|    |
\\  //
 \\//
  \\          Jorge Guilherme
 //\\
|/  \\
     ~'
Blue