Re: cleaning up /var/tmp
Philippe Troin <firstname.lastname@example.org> writes:
> Because we never follow symlinks, but only real files and real
> directories. Symlinks, device files, sockets and other pipes will
> remain in /tmp (we could replace the -type f by ! -type l if we
> wanted to get rid of these). Other flaws ?
That's not really the issue, though. The problem is that the attacker
can change one of the directory components of the path to point to a
different location in the time between the 'find' and the 'xargs rm'.
So if the find locates '/tmp/a/passwd' to be deleted, where 'a' is a
directory and 'passwd' is a file, the attacker can replace 'a' with a
symlink to '/etc', causing '/etc/passwd' to be deleted by the 'xargs
rm /tmp/a/passwd'. The point of having a long and convoluted file
path is only to guarantee the attacker a wider window in which to
exploit the race condition.