[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: cleaning up /var/tmp

Philippe Troin <phil@fifi.org> writes:
> Because we never follow symlinks, but only real files and real
> directories.  Symlinks, device files, sockets and other pipes will
> remain in /tmp (we could replace the -type f by ! -type l if we
> wanted to get rid of these).  Other flaws ?

That's not really the issue, though.  The problem is that the attacker
can change one of the directory components of the path to point to a
different location in the time between the 'find' and the 'xargs rm'.

So if the find locates '/tmp/a/passwd' to be deleted, where 'a' is a
directory and 'passwd' is a file, the attacker can replace 'a' with a
symlink to '/etc', causing '/etc/passwd' to be deleted by the 'xargs
rm /tmp/a/passwd'.  The point of having a long and convoluted file
path is only to guarantee the attacker a wider window in which to
exploit the race condition.

Reply to: