Re: aaa_base still vulnerable after upgrade

[Valdis.Kletnieks () VT EDU (Valdis.Kletnieks () VT EDU)]

On Sat, 29 Apr 2000 23:08:42 +0200, Matthias Andree <ma () DT E-TECHNIK UNI-DORTMUND DE>  said:
> marc () suse de (Marc Heuse) writes:
> There is no point in discussing this. One simply does not code rm -f
> $DEL_FILE, but rm -f "$DEL_FILE", or better, not even mess with so much
> scripts if a simple find will do (see the announcement).

Note that "simple find" will *still* have problems doing it correctly and
securely.  There was a whole thread about this back in the '95-'96 timeframe
about 'find <whatever" | xargs rm' being insecure, which lead to a discussion
of using 'find <whatever> -exec rm' which was STILL insecure.

> > > touch "/tmp/x /etc/rc.config"
> >
> > btw have you ever tried out this command? It won't work. A filename is not
> > allowed to have a slash in it's name ...
>
> That's correct, I missed that (fails with 'no such file or directory'
> since there is no "/tmp/x " directory here). Still, you can delete

Try this:

mkdir -p "/tmp/x /etc/"
touch "/tmp/x /etc/rc.config"

The problem is you can't 'touch /A/B/C/D' if /A/B/C and/or /A/B don't exist
yet.

--
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech