From jpp@software.net  Sat May 25 04:03:21 1996
Received: from software.net (root@www2.software.net [204.69.144.2]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id EAA26822 for <best-of-security@suburbia.net>; Sat, 25 May 1996 04:03:18 +1000
Received: from bugs.software.net (bugs.software.net [204.69.144.84]) by software.net (8.7.1/3.2W4) with SMTP id LAA02060; Fri, 24 May 1996 11:04:07 -0700
Message-Id: <2.2.32.19960524180112.00c0a8c0@mail.software.net>
X-Sender: jpp@mail.software.net
X-Mailer: Windows Eudora Pro Version 2.2 (32)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 24 May 1996 11:01:12 -0700
To: Mark Whitis <whitis@dbd.com>, Zygo Blaxell <zblaxell@myrus.com>
From: John Pettitt <jpp@software.net>
Subject: More find -exec rm dangers was: Re: BoS: Re: [linux-security]
  Things NOT to put in root's crontab
Cc: linux-security@tarsier.cv.nrao.edu, best-of-security@suburbia.net

At 12:56 PM 5/24/96 -0400, Mark Whitis wrote:
>On Tue, 21 May 1996, Zygo Blaxell wrote:
>
>> >From Redhat's /etc/crontab file:
>> ># Remove /var/tmp files not accessed in 10 days
>> >43 02 * * * root find /var/tmp/* -atime +3 -exec rm -f {} \; 2> /dev/null
>> >
>
>


Find (at least the linux source I have) uses execvp to run commands, since
execvp follows the PATH environement to find the target program, since
*many* people still have a '.' in a root path (silly bu true) find can be
fooled into running arbitary programs by leaving a program called 'rm' in
the right place.

At the very least the -exec should be /bin/rm

John Pettitt, jpp@software.net
EVP, CyberSource Corporation, 415 473 3065

PGP Key available at:
http://www-swiss.ai.mit.edu/htbin/pks-extract-key.pl?op=get&search=0xB7AA3705