From owner-freebsd-security Sun Aug 29 9:57:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id B683915764 for ; Sun, 29 Aug 1999 09:57:21 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id JAA62404; Sun, 29 Aug 1999 09:56:54 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199908291656.JAA62404@gndrsh.dnsmgr.net> Subject: Re: Not sure if you got it... In-Reply-To: <19990829150958.A53712@euronet.nl> from Ben Gras at "Aug 29, 1999 03:09:59 pm" To: ben@euro.net (Ben Gras) Date: Sun, 29 Aug 1999 09:56:54 -0700 (PDT) Cc: dynamo@ime.net, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > All, > > On Sat, Aug 28, 1999 at 10:22:12PM -0400, dynamo@ime.net wrote: > > to stop rebooting from working right any user can just do this... > > ln -s /file/with/blocked/io/such/as/a/tty /var/tmp/vi.recover/recover.file > > this is my second try -- if you can gimmie an "ok" so i know you got this > > i would appreciate it. Well, at least 2 of us got it since this is a reply to a reply... :-) > > On a related note.. is there any good reason to take the vi.recover business > out of the boot process? It seems like a strangely vulnerable place to be > processing user-controlled files, using shellscript under root even. And > why during the boot? That only happens once every few years anyway (touch > wood) ;-). > > Sounds like a crontab job to me. Well, on first impression that may be true, but you have to be very carefull about which files you are going to process if you do this, as you might accidentally try to recover an active edit session. Note that some users (me expecially) have very long running vi sessions, months on end. So don't try to do it with a -*time option to find. I am also worried a bit about this line, the echo makes it somewhat save in that you can't tag a && into the file name and have it execute the command, but if that command is something other than echo it is for sure a real big hole! virecovery=`echo /var/tmp/vi.recover/recover.*` And thru examination and a bit of work someone should be able to take advantage of the later: recfile=`awk '/^X-vi-recover-path:/{print $2}' < $i` Building the correct recover.* file name would be hard, as a foreach () is going to split these at spaces. And you need to create a companion file that passes the test ! -r, but I think it could be done. Some one want to go prove it.... -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message