From roman@portal.stwing.upenn.edu  Sat Jun  1 04:35:05 1996
Received: from portal.stwing.upenn.edu (PORTAL.STWING.UPENN.EDU [165.123.50.39]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id EAA12514 for <best-of-security@suburbia.net>; Sat, 1 Jun 1996 04:35:01 +1000
Received: (from roman@localhost) by portal.stwing.upenn.edu (8.7.4/8.7.3) id OAA11849; Fri, 31 May 1996 14:38:20 -0400
From: Roman Gollent <roman@portal.stwing.upenn.edu>
Message-Id: <199605311838.OAA11849@portal.stwing.upenn.edu>
Subject: Re: More find -exec rm dangers was: Re: BoS: Re: [linux-security]
To: jpp@software.net (John Pettitt)
Date: Fri, 31 May 1996 14:38:19 -0400 (EDT)
Cc: whitis@dbd.com, zblaxell@myrus.com, linux-security@tarsier.cv.nrao.edu,
        best-of-security@suburbia.net
In-Reply-To: <2.2.32.19960524180112.00c0a8c0@mail.software.net> from "John Pettitt" at May 24, 96 11:01:12 am
Content-Type: text

John Pettitt wrote:

> At the very least the -exec should be /bin/rm

I would also add "--" after the "-f".  I haven't bothered to test out
whether or not this works, but what's to stop someone from creating a
file in /tmp named "-rf /" ?

Roman