local user can delete arbitrary files
Hello, it had been announced to info@suse.de about one year ago, but the bug still exists in /etc/cron.daily/aaa_base (or perhaps also /root/bin/cron.daily for older SuSE versions). Tested on SuSE 6.0 and 6.3 but probably existent on earlier versions. If MAX_DAYS_IN_TMP > 0 in /etc/rc.config, a local user can delete arbitrary files on the system by doing some commands like these: mkdir -p "/tmp/hhh /somedirectory" touch -t some-early-date "/tmp/hhh /somedirectory/somefile" sleep 1d Here the patch for suse-package aaa_base-2000.1.3-0: --- aaa_base~ Mon Jan 3 18:16:55 2000 +++ aaa_base Fri Apr 21 08:42:19 2000 @@ -158,20 +158,10 @@ done for TMP_DIR in $TMP_DIRS_TO_CLEAR ; do - for DEL_FILE in `find $TMP_DIR/. $OMIT \( -type f -o -type l \) \ - -atime +$MAX_DAYS_IN_TMP | sort -r` ; do - rm -f $DEL_FILE - DEL_DIR=`dirname $DEL_FILE` - if [ "$DEL_DIR" != "$TMP_DIR/." ] ; then - rmdir $DEL_DIR 2> /dev/null - fi - done - done - for DEL_DIR in `find $TMP_DIR/. $OMIT \( -type d \) \ - -ctime +$MAX_DAYS_IN_TMP | sort -r` ; do - if [ "$DEL_DIR" != "$TMP_DIR/." ] ; then - rmdir $DEL_DIR 2> /dev/null - fi + find $TMP_DIR/. $OMIT ! -type d \ + -atime +$MAX_DAYS_IN_TMP -exec rm -f '{}' ';' + find $TMP_DIR/. $OMIT -depth -type d -empty -mindepth 1 \ + -mtime +$MAX_DAYS_IN_TMP -exec rmdir '{}' ';' done fi Cheers, Peter -- Peter Münster http://gmv.spm.univ-rennes1.fr/~peter/
On Fri, Apr 21, 2000 at 08:43 +0200, Peter Münster wrote:
If MAX_DAYS_IN_TMP > 0 in /etc/rc.config, a local user can delete arbitrary files on the system by doing some commands like these: mkdir -p "/tmp/hhh /somedirectory" touch -t some-early-date "/tmp/hhh /somedirectory/somefile" sleep 1d
Here the patch for suse-package aaa_base-2000.1.3-0:
--- aaa_base~ Mon Jan 3 18:16:55 2000 +++ aaa_base Fri Apr 21 08:42:19 2000 @@ -158,20 +158,10 @@ done
for TMP_DIR in $TMP_DIRS_TO_CLEAR ; do - for DEL_FILE in `find $TMP_DIR/. $OMIT \( -type f -o -type l \) \ - -atime +$MAX_DAYS_IN_TMP | sort -r` ; do - rm -f $DEL_FILE - DEL_DIR=`dirname $DEL_FILE` - if [ "$DEL_DIR" != "$TMP_DIR/." ] ; then - rmdir $DEL_DIR 2> /dev/null - fi - done - done - for DEL_DIR in `find $TMP_DIR/. $OMIT \( -type d \) \ - -ctime +$MAX_DAYS_IN_TMP | sort -r` ; do - if [ "$DEL_DIR" != "$TMP_DIR/." ] ; then - rmdir $DEL_DIR 2> /dev/null - fi + find $TMP_DIR/. $OMIT ! -type d \ + -atime +$MAX_DAYS_IN_TMP -exec rm -f '{}' ';' + find $TMP_DIR/. $OMIT -depth -type d -empty -mindepth 1 \ + -mtime +$MAX_DAYS_IN_TMP -exec rmdir '{}' ';' done fi
Besides the fact that the above (original) "for DEL_FILE in `find ...`; do" won't work for many (some 4K) files or longer command lines, your suggestion ("find ... -exec") is quite expensive in terms of cpu load (i.e. process creation). Make it read "find ... -print0 | xargs --null rm/rmdir" and the result should be space aware *and* cost effective. Since the original tried to rmdir anyway (with stderr directed to /dev/null) your simpler notation is even better to read and maintain. To summarize, let me cite the full result here: ----------------------------------------------------------------- [ ... ] for TMP_DIR in $TMP_DIRS_TO_CLEAR ; do find $TMP_DIR/. $OMIT ! -type d \ -atime +$MAX_DAYS_IN_TMP -print0 | \ xargs --null rm -f find $TMP_DIR/. $OMIT -depth -type d -empty -mindepth 1 \ -mtime +$MAX_DAYS_IN_TMP -print0 | \ xargs --null rmdir done [ ... ] ----------------------------------------------------------------- virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
Peter Münster wrote:
Hello, it had been announced to info@suse.de about one year ago, but the bug still exists in /etc/cron.daily/aaa_base (or perhaps also /root/bin/cron.daily for older SuSE versions). Tested on SuSE 6.0 and 6.3 but probably existent on earlier versions.
The same for 6.4. Would someone from SuSE care to comment on this stupid bug?
Here the patch for suse-package aaa_base-2000.1.3-0:
[...]
Using the `-print0' option to find and `--null' argument to xargs does a better job, btw. Andreas ------------------------------------------------------------------------ Andreas Gruenbacher, a.gruenbacher@computer.org Contact information: http://www.bestbits.at/~ag/
Hi, On Fri, 21 Apr 2000, Andreas Gruenbacher wrote:
it had been announced to info@suse.de about one year ago, but the bug still exists in /etc/cron.daily/aaa_base (or perhaps also /root/bin/cron.daily for older SuSE versions). Tested on SuSE 6.0 and 6.3 but probably existent on earlier versions.
The same for 6.4.
Would someone from SuSE care to comment on this stupid bug?
We working for a fix.
Here the patch for suse-package aaa_base-2000.1.3-0:
[...]
Using the `-print0' option to find and `--null' argument to xargs does a better job, btw.
But it isn't safe against link attacks in tmp. BTW, I hope my comment wasn't stupid. Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
participants (4)
-
Andreas Gruenbacher -
Gerhard Sittig -
Peter Münster -
Thomas Biege