Date: Sun, 29 Aug 1999 09:56:54 -0700 (PDT) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: ben@euro.net (Ben Gras) Cc: dynamo@ime.net, security@FreeBSD.ORG Subject: Re: Not sure if you got it... Message-ID: <199908291656.JAA62404@gndrsh.dnsmgr.net> In-Reply-To: <19990829150958.A53712@euronet.nl> from Ben Gras at "Aug 29, 1999 03:09:59 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> All,
>
> On Sat, Aug 28, 1999 at 10:22:12PM -0400, dynamo@ime.net wrote:
> > to stop rebooting from working right any user can just do this...
> > ln -s /file/with/blocked/io/such/as/a/tty /var/tmp/vi.recover/recover.file
> > this is my second try -- if you can gimmie an "ok" so i know you got this
> > i would appreciate it.
Well, at least 2 of us got it since this is a reply to a reply... :-)
>
> On a related note.. is there any good reason to take the vi.recover business
> out of the boot process? It seems like a strangely vulnerable place to be
> processing user-controlled files, using shellscript under root even. And
> why during the boot? That only happens once every few years anyway (touch
> wood) ;-).
>
> Sounds like a crontab job to me.
Well, on first impression that may be true, but you have to be very
carefull about which files you are going to process if you do this,
as you might accidentally try to recover an active edit session.
Note that some users (me expecially) have very long running vi sessions,
months on end. So don't try to do it with a -*time option to find.
I am also worried a bit about this line, the echo makes it somewhat
save in that you can't tag a && into the file name and have it execute
the command, but if that command is something other than echo it is
for sure a real big hole!
virecovery=`echo /var/tmp/vi.recover/recover.*`
And thru examination and a bit of work someone should be able to
take advantage of the later:
recfile=`awk '/^X-vi-recover-path:/{print $2}' < $i`
Building the correct recover.* file name would be hard, as a
foreach () is going to split these at spaces. And you need
to create a companion file that passes the test ! -r, but I
think it could be done. Some one want to go prove it....
--
Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199908291656.JAA62404>