Bugtraq mailing list archives
Re: Safe /tmp cleanup
From: steven () ENEL UCALGARY CA (Steven Leikeim)
Date: Wed, 12 Nov 1997 10:48:59 -0700
dsiebert () ICAEN UIOWA EDU writes
There was a thread in Bugtraq a couple months ago about safe cleanup of /tmp and other publicly-writable directories. The problem is with the traditional cleanup along the lines of: find /tmp -someoptions -print | xargs rm -moreoptions An attacker can create conditions using deep directories and symbolic links that will cause this command to delete any arbitrary file on the filesystem. See the archives for more info. This started a long discussion, and only two good solutions were proposed to my recollection. One, someone had a Perl script named "saferm" which did an insane amount of sanity checking to verify the path was correct. Two, it was proposed that the find command itself should handle this. The Perl script is quite slow and overly complex, I wanted a better solution. I took a look at the GNU archive to see if they had a find command which might already have such an option. They had a find command which hasn't been updated for about three years, which had no such option. But the source is very easy to read and modify so it was a simple matter to add a "-delete" option myself. I also noticed and fixed a bug that caused incorrect results when using the "-depth" option in some cases (those of you with Linux boxes, which use the GNU find, can try: "find /var -depth -empty" and you'll see what I mean) This was important to do since you need the -depth option to work for -delete to really work (-delete implies -depth in my code)
There is another option. In Red Hat Linux 4.2, there is a package called tmpwatch. Here is the first part of the man page: NAME tmpwatch - removes files which haven't been accessed for a period of time SYNOPSIS tmpwatch [-fav] [--verbose] [--force] [--all] [--test] <hours> <dirs> DESCRIPTION tmpwatch recursively removes files which haven't been accessed for a given number of hours. Normally, it's used to clean up directories which are used for temporary holding space such as /tmp. When changing directories, tmpwatch is very sensitive to possible race conditions and will exit with an error if one is detected. It does not follow symbolic links in the directories it's clean- ing (even if a symbolic link is given as its argument), will not switch filesystems, and only removes empty directories and regular files. The source for this program is 294 lines of C (including comments). Enough care seems to have been taken to avoid race hazards and my limited examination of code satisfied me that there are no security problems with it. Specfically, the program does everything itself, it does not rely on an external program for any function which should eliminate problems associated with special characters and/or buffer overflows due to deep paths. The version that I have (tmpwatch-1.2-1.src.rpm) can be found at: ftp://wuarchive.wustl.edu/systems/linux/redhat/redhat-4.2/SPRMS/tmpwatch-1.2.1-1.rpm Steven Leikeim Department of Electrical and Computer Engineering University of Calgary Calgary, Alberta Phone: (403) 220-5373 Fax: (403) 282-6855
Current thread:
- Safe /tmp cleanup dsiebert () ICAEN UIOWA EDU (Nov 11)
- <Possible follow-ups>
- Re: Safe /tmp cleanup Steven Leikeim (Nov 12)