Bugtraq mailing list archives
Re: [linux-security] Things NOT to put in root's crontab
From: zblaxell () myrus com (Zygo Blaxell)
Date: Thu, 23 May 1996 18:27:20 -0400
Quoted from Philip Guenther:
The race condition in find should be eliminatible by using fchdir() and passing the '-exec'ed command a simple filename. You have to keep open one descriptor for each level descended which should max out at MAXPATHLEN/2. That should be within the bounds of modern UNIX systems.
In pseudocode:
cur = open argv[1];
fchdir(cur);
do_dir(cur);
do_dir(int cur) {
foreach file in "." {
### vulnerability here ###
int fd = open file;
### vulnerability here ###
do_stuff_from_command_line;
if ISDIR(fstat fd) {
fchdir(fd);
do_dir(fd);
fchdir(cur);
}
}
}
Correct, except that it is necessary to check that 'open file' didn't
follow a symlink. Actually, without this check, this pseudocode is much
worse than current find implementations, because it follows *all*
symlinks to directories, no racing necessary.
Here's something that may be cleaner. In this pseudocode language, all
system calls throw an exception on failure that exits the current
function.
find {
int first_dir_fd=opendir(.);
foreach directory on commandline {
// not necessary to check stuff we're given
chdir(directory);
recursively_process_current_directory;
fchdir(first_dir_fd);
}
}
recursively_process_current_directory {
try {
foreach file in "." {
A=lstat(file);
do_stuff_from_command_line;
if (ISDIR(A)) {
int parentwd_fd=opendir(.);
B=lstat(.); //optional
chdir(file);
C=lstat(.);
D=lstat(..); //optional
if (
A!=C //mandatory
|| B!=D //optional
) {
print_warning;
return error;
}
recursively_process_current_directory();
fchdir(parentwd_fd);
}
}
}
}
The parts marked 'optional' above I don't think you really need.
All parameters to 'exec' are relative to the current directory. To
prevent most Unix commands from getting confused, optionally prepend
'./' to each filename.
--
Zygo Blaxell. Former Unix/soft/hardware guru, U of Waterloo Computer Science
Club. Current sysadmin for Myrus Design, Inc. 10th place, ACM Intl Collegiate
Programming Contest Finals, 1994. Administer Linux nets for food, clothing,
and anime. "I gave up $1000 to avoid working on windoze... *sigh*" - Amy Fong
Current thread:
- Re: [linux-security] Things NOT to put in root's crontab Christopher D. McCann (May 22)
- <Possible follow-ups>
- Re: [linux-security] Things NOT to put in root's crontab William McVey (May 22)
- Re: [linux-security] Things NOT to put in root's crontab Philip Guenther (May 22)
- Re: [linux-security] Things NOT to put in root's crontab Sean Vickery (May 22)
- Re: [linux-security] Things NOT to put in root's crontab Philip Guenther (May 22)
- Re: [linux-security] Things NOT to put in root's crontab Colin Jenkins (May 23)
- Re: [linux-security] Things NOT to put in root's crontab Philip Guenther (May 23)
- Re: [linux-security] Things NOT to put in root's crontab Colin Jenkins (May 24)
- Re: [linux-security] Things NOT to put in root's crontab Aidas Kasparas (May 26)
- Re: [linux-security] Things NOT to put in root's crontab Philip Guenther (May 22)
- Re: [linux-security] Things NOT to put in root's crontab Zygo Blaxell (May 23)