There is another problem with rm.
On Tue, 21 May 1996, Zygo Blaxell wrote:
> >From Redhat's /etc/crontab file:
> >43 02 * * * root find /var/tmp/* -atime +3 -exec rm -f {} \; 2> /dev/null
> * PROBLEM DISCUSSION AND EXPLOITATION
> The immediate security problem is that 'rm' doesn't check that
> components of the directory name are not symlinks. This means that you
That's right. The main point is that it's a rm problem.
> * FIXES
> The easiest way to fix this is to get rid of the find/rm stuff
> completely. If you need a garbage collector, try our LRU garbage
> collection daemon at the URL given below.
The best way (IMO) is to do a new rm.
> rm -f ./passwd
>
> which is secure as long as '.' isn't in your PATH. Note the leading
> './' to prevent rm from interpreting the filename as a parameter.
If you use 'rm -f -- passwd' the file name won't be interpreted as a
parameter. '--' is the GNU standard for disabling any further option
processing.
And now for some more bad news:
Imagine a 'find /tmp |xargs rm -f --'. To exploit this one you NEED NO
RACE condition. All that needs to be done is to create a directory called
' ' (Yeap, that's a single space) and inside it create another one called
'etc'and inside that one do a 'touch passwd'.
xargs will see the name of the directory ' ' as a field separator and
will pass to rm the argument '/etc/passwd'.
There are more variations on this one lurking to the unaware
administrator, like when the output of find is sent to a file, something
like 'find /tmp > rm.list' and then the administrator would edit the file
to remove some files or directories that he didn't want deleted and then
do a 'xargs rm -f -- < rm.list' or 'rm -f -- `cat rm.list`' .
.::::.
| |
\\ //
\\//
\\ Jorge Guilherme
//\\
|/ \\
~'
Blue
Received on Jun 03 1996
Intro
