Vulnerability Development mailing list archives
Re: Unix * weirdness
From: zinx () LINUXFREAK COM (Forever shall I be.)
Date: Sat, 1 Jan 2000 16:53:16 -0600
Blue Boar wrote:
This is one of those funny thing I notice when doing my regular job. I had to clean out the following directory: (It's from a firewall-1 install, if you're curious) ls -al total 62 -rw-r--r-- 1 root other 24 Apr 16 1999 -proc drwxr-xr-x 11 root root 512 Dec 30 18:13 . drwxr-xr-x 23 root root 512 Dec 30 17:25 .. drwx------ 2 root bin 1024 Aug 5 20:32 bin drwx------ 2 root bin 512 Jan 13 1999 cisco drwx------ 2 root bin 512 Jan 13 1999 doc drwx------ 3 root bin 1024 Apr 16 1999 lib drwx------ 2 root other 13312 Dec 22 00:01 log drwx------ 2 root root 8192 Jan 13 1999 lost+found drwx------ 5 root bin 512 Jan 13 1999 man drwx------ 2 root bin 512 Apr 16 1999 modules drwx------ 2 root bin 1024 Jan 13 1999 scripts # rm -R * rm: illegal option -- p rm: illegal option -- o rm: illegal option -- c usage: rm [-fiRr] file ... It took me a minute. It's taking the file named -proc and parsing as if it was a set of command line options. I guess this makes some sense.. I believe the shell just takes all the files and makes them all command-line parameters when you use *.
Yes, the shell only does the expansion, the program parses the command line arguments.
Naturally, I've been thinking about the possibilities... I haven't had much time to work out details (got sucked into Y2K weekend work) so I wanted to pass this to the list for further explanation. BTW, I got rid of it with: # unlink -proc
at least with GNU rm (and i'm assuming all other versions have a similar method), you can use rm -- -proc, but you could have also done rm ./-proc (or in this case, rm -R ./*).
So, I wonder what other kinds of traps can be laid for the root user or cron jobs, etc... For example, here's a line from my S05RMTMPFILES in /etc/rc2.d dir, on a Solaris 2.6 machine. (Which is where this behavior was noticed): /usr/bin/rm -rf /tmp/*
All arguments will be prefixed with /tmp/ in this case, thus negating the effect. No vulnerability.
So, if I can place an interestingly names file in /tmp (and anyone can) can I get interesting things to happen when the machine reboots.
Nope.
For example, can I get a file with spaces in it? How about the | (vertical bar) character? How about a ; ?
Yes, but it won't matter, when it's expanded by the shell they will be passed as if they were quoted.
(Yes, I could test it myself if I had time at the moment.) Is this a really old "feature" that everyone knows about except me?
You need to learn more about how shell expanding, and 'rm' work :)
BB
-- Zinx Verituse (finger @bliss.penguinpowered.com for pgp/gpg keys)(new jul10/99) pgp9FE5C9747EB8FF329BB13199C4008E67/gpg574673A12184A27A9EC0EDCCE132BCEF921B1558 0"2-1=0>0:1(2<192:0?0;0A0@2=0<0=1.0A2=0<2A0-">:#v_52*,@ 55*-3*\68*-+, v >
Current thread:
- Unix * weirdness Blue Boar (Jan 01)
- Re: Unix * weirdness Yong S. Yi (Jan 01)
- Re: Unix * weirdness Forever shall I be. (Jan 01)
- Re: Unix * weirdness Blue Boar (Jan 01)
- Re: Unix * weirdness Warner Losh (Jan 01)
- Re: Unix * weirdness Bernie Cosell (Jan 01)
- Re: Unix * weirdness Blue Boar (Jan 01)
- iishack/tesoiis.c - What's wrong ? Ory Segal (Jan 03)
- Re: iishack/tesoiis.c - What's wrong ? Seth Georgion (Jan 03)
- Re: iishack/tesoiis.c - What's wrong ? The Underground Legendary Emperor (Jan 04)
- Re: Unix * weirdness Blue Boar (Jan 01)
- Re: Unix * weirdness Blue Boar (Jan 01)