Date: Wed, 22 May 1996 11:24:40 -0400 From: Garrett Wollman <wollman@lcs.mit.edu> To: Guido.vanRooij@nl.cis.philips.com (Guido van Rooij) Cc: freebsd-security@FreeBSD.ORG Subject: Re: [linux-security] Things NOT to put in root's crontab (fwd) Message-ID: <9605221524.AA07530@halloran-eldar.lcs.mit.edu> In-Reply-To: <199605220653.IAA23614@spooky.lss.cp.philips.com> References: <Pine.BSF.3.91.960521203607.17971A-100000@haven.uniserve.com> <199605220653.IAA23614@spooky.lss.cp.philips.com>
next in thread | previous in thread | raw e-mail | index | archive | help
<<On Wed, 22 May 1996 08:53:31 +0200 (MET DST), Guido van Rooij <Guido.vanRooij@nl.cis.philips.com> said: >> I think it doesn't. >> >> Our rm removes links, not files pointed to by links. So: >> >> cd /tmp >> ln -s /etc/passwd thing >> rm thing > Besides, our find contains a -type, which also does not find symlinks ( > as long as type is not l). Furthermore, the find is commented out > by default stating it is not secure. Everyone seems to be completely missing the point! The exploit described takes advantage of a race condtion inherent in any sort of `find -exec' operation. To put it simply: Script Attacker 1) create foo/bar/baz 2) execute find on foo 3) locate foo/bar/baz 4) fork 5) move foo/bar to foo/bletch 6) ln -s /etc foo/bar 7) exec rm -f foo/bar/baz oops, /etc/baz is now gone! This is a problem in /etc/*ly, because they run in multiuser mode. It is not a problem for /etc/rc. -GAWollman -- Garrett A. Wollman | Shashish is simple, it's discreet, it's brief. ... wollman@lcs.mit.edu | Shashish is the bonding of hearts in spite of distance. Opinions not those of| It is a bond more powerful than absence. We like people MIT, LCS, ANA, or NSA| who like Shashish. - Claude McKenzie + Florent Vollant
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9605221524.AA07530>