[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#3099: /etc/cron.daily/standard security hole



Package: cron
Version: 3.0pl1-31

Please comment out the "find ... | xargs rm" type lines in the
/etc/cron.daily/standard script intended to remove old files from
/tmp and /var/tmp.  A clever user might trick it into removing
ANY file as root.  See the recent posting from Zygo Blaxell
<zblaxell@myrus.com> on the linux-security mailing list for more
information, how to exploit etc.  It is probably important to
fix it before the release...

Also check out the perl script which might be used to remove old
files when disk space is low, and does it in a more secure way.

http://www.ultratech.net/~zblaxell/admin_utils/filereaper.txt

Regards,

Marek


Reply to: