Re: /etc/crontab.daily and the security hole in find | xargs
-----BEGIN PGP SIGNED MESSAGE-----
On 7 Aug 1997, Jan Vroonhof wrote:
> I was checking out the files in /etc/crontab.daily and there it says
> above the standard
> find <old tmp files> | xargs rm
> lines something to the effect of "These lines commented out because of
> the obvious security hole".
>
> What security hole?
>
> The only one I think I can see would be that xargs actually passes
> it's command line to the shell without properly escaping the filenames
> it puts in.
>
> Regardless of the nature of the hole: Is this fixed somehwere? The above
> "hole" would be fixed by making xargs call rm directly I think.
The problem is that there is a race condition involving running a
"find | xargs rm" or similar command on any world-writable directory. A
malicious person could construct a extremely long directory path, and then
between the time that find passes the name of the path and the time rm
gets around to removing the file, replacing some component of the path
with a symlink. This provides the potential to remove any file on the
system. This isn't changed by makeing find call rm directly, that only
shortens the race. The only solution is to come up with a program that
never follows syslinks, and checks that the i-node of the file it is
removing remains the same.
- --
| Your friends will know you better in the
Scott K. Ellis | first minute you meet than your acquaintances
storm@gate.net | will know you in a thousand years.
| -- Illusions
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBM+oUt6Ck2fENdzpVAQElTgP+KO5TVrpgZpGoIf+sgQ62kklVfzLiqfha
YHSoDkFrqpNeFv6eToMBDSL6p9+ccHQD617aSbf3+Tmh4yWIa7J8zqpZoJ17Xzvp
p9JWpkDMhFBTAsEvVilUQEyoNYJhR5eEoVVwfDvDa10fBt/9xI5qQZyC1GkBMDaG
/8Ixx+YGbnY=
=Lpxh
-----END PGP SIGNATURE-----
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: