Bug#3099: /etc/cron.daily/standard security hole

To: debian-bugs@pixar.com
Subject: Bug#3099: /etc/cron.daily/standard security hole
From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
Date: Thu, 23 May 1996 04:25:49 +0200 (MET DST)
Message-id: <[🔎] 199605230225.EAA01373@i17linuxb.ists.pwr.wroc.pl>
Reply-to: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>, debian-bugs@pixar.com

Package: cron
Version: 3.0pl1-31

Please comment out the "find ... | xargs rm" type lines in the
/etc/cron.daily/standard script intended to remove old files from
/tmp and /var/tmp.  A clever user might trick it into removing
ANY file as root.  See the recent posting from Zygo Blaxell
<zblaxell@myrus.com> on the linux-security mailing list for more
information, how to exploit etc.  It is probably important to
fix it before the release...

Also check out the perl script which might be used to remove old
files when disk space is low, and does it in a more secure way.

http://www.ultratech.net/~zblaxell/admin_utils/filereaper.txt

Regards,

Marek

Reply to:

Prev by Date: Re: ping!
Next by Date: Bug#3100: no /etc/rmt with tar
Previous by thread: Re: ping!
Next by thread: Bug#3100: no /etc/rmt with tar
Index(es):
- Date
- Thread