Re: Safe /tmp cleanup

[steven () ENEL UCALGARY CA (Steven Leikeim)]

dsiebert () ICAEN UIOWA EDU writes
> There was a thread in Bugtraq a couple months ago about safe cleanup of
> /tmp and other publicly-writable directories.  The problem is with the
> traditional cleanup along the lines of:
>
> find /tmp -someoptions -print | xargs rm -moreoptions
>
> An attacker can create conditions using deep directories and symbolic
> links that will cause this command to delete any arbitrary file on the
> filesystem.  See the archives for more info.
>
> This started a long discussion, and only two good solutions were proposed
> to my recollection.  One, someone had a Perl script named "saferm" which
> did an insane amount of sanity checking to verify the path was correct.
> Two, it was proposed that the find command itself should handle this.
> The Perl script is quite slow and overly complex, I wanted a better
> solution.  I took a look at the GNU archive to see if they had a find
> command which might already have such an option.  They had a find command
> which hasn't been updated for about three years, which had no such option.
> But the source is very easy to read and modify so it was a simple matter
> to add a "-delete" option myself.  I also noticed and fixed a bug that
> caused incorrect results when using the "-depth" option in some cases
> (those of you with Linux boxes, which use the GNU find, can try: "find /var
> -depth -empty" and you'll see what I mean)  This was important to do since
> you need the -depth option to work for -delete to really work (-delete
> implies -depth in my code)

There is another option.

In Red Hat Linux 4.2, there is a package called tmpwatch. Here is the
first part of the man page:

        NAME
              tmpwatch - removes files which haven't been accessed for a period
               of time

        SYNOPSIS
              tmpwatch [-fav] [--verbose] [--force]  [--all]  [--test]  <hours>
              <dirs>


        DESCRIPTION
            tmpwatch  recursively  removes  files which haven't been accessed
            for a given number of hours. Normally,  it's  used  to  clean  up
            directories  which  are  used for temporary holding space such as
            /tmp.

            When changing directories, tmpwatch is very sensitive to possible
            race  conditions  and will exit with an error if one is detected.
            It does not follow symbolic links in the directories it's  clean-
            ing  (even if a symbolic link is given as its argument), will not
            switch filesystems, and only removes empty directories and regular
            files.


The source for this program is 294 lines of C (including comments). Enough care
seems to have been taken to avoid race hazards and my limited examination of
code satisfied me that there are no security problems with it. Specfically,
the program does everything itself, it does not rely on an external program for
any function which should eliminate problems associated with special characters
and/or buffer overflows due to deep paths.

The version that I have (tmpwatch-1.2-1.src.rpm) can be found at:

        ftp://wuarchive.wustl.edu/systems/linux/redhat/redhat-4.2/SPRMS/tmpwatch-1.2.1-1.rpm



Steven Leikeim
Department of Electrical and Computer Engineering
University of Calgary
Calgary, Alberta

Phone: (403) 220-5373
Fax:   (403) 282-6855