From joneswr@fsg.prusec.com Sat Jun 1 06:41:54 1996 Received: from melbourne.world.net (melbourne.world.net [198.142.2.1]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id GAA19671 for ; Sat, 1 Jun 1996 06:41:52 +1000 Received: from prusec.com (mail.prusec.com [199.170.123.66]) by melbourne.world.net (8.7.4/8.6.6) with ESMTP id GAA04663 for ; Sat, 1 Jun 1996 06:43:22 +1000 (EST) Received: by prufire1.prusec.com id <35791>; Fri, 31 May 1996 16:29:21 -0400 Sender: joneswr@fsg.prusec.com Date: Fri, 31 May 1996 16:30:38 -0400 From: Jones X-Mailer: Mozilla 2.01 (X11; I; AIX 2) Mime-Version: 1.0 To: best-of-security@suburbia.net, linux-security@tarsier.cv.nrao.edu Subject: Re: BoS: Re: More find -exec rm dangers was: Re: BoS: Re: [linux-security] References: <199605311838.OAA11849@portal.stwing.upenn.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <96May31.162921edt.35791@prufire1.prusec.com> Roman Gollent wrote: > > John Pettitt wrote: > > > At the very least the -exec should be /bin/rm > > I would also add "--" after the "-f". I haven't bothered to test out > whether or not this works, but what's to stop someone from creating a > file in /tmp named "-rf /" ? > > Roman How about bothering to check... if the file: "/var/tmp/-f /" exists, then the command find /var/tmp/* -atime +3 -print returns "/var/tmp/-f /" and the "-f /" would not be taken as the -f flag with / as a parameter. OK how about BOS gets back to Best of posts instead of these suppositions and unchecked comments. 1. cron has the path preset so "-exec rm -f {}" is just fine. 2. files will not get used as flags to rm since the ./ will be there. 3. The original post stated a specific problem with race conditions that could be exploited on "LINUX" systems. This does not mean that all UNIX flavors have this problem. The race condition has only been shown on LINUX systems and not on others. Since the code was independantly grown for LINUX there is a good chance other systems have very different looking code and use different calls than LINUX. This is not to be confused with my saying that they are not broke as well, just that no post so far has given test results from actually checking it out. 4. Unless you checked it out and its really broke, keep it to yourself RJ