Re: Safe /tmp cleanup

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Andrew Brown: "Re: Digital Unix Security Problem"
• Previous message: Olaf Titz: "Re: Vunerability in Lizards game"
• Maybe in reply to: dsiebert@ICAEN.UIOWA.EDU: "Safe /tmp cleanup"
• Next in thread: Valdis Kletnieks: "Re: Safe /tmp cleanup"

Wrong. Check out this snippet from find.pl (from perl 5.003):

# Get link count and check for directoriness.

($dev,$ino,$mode,$nlink) = lstat($_) unless $nlink;

if (-d _) {

# It really is a directory, so do it recursively.

if (!$prune && chdir $_) {
&finddir($name,$nlink);
chdir '..';
}
--$subcount;
}

It "checks for directoriness", and if it is a directory it chdir's into it.
This does not do anything at all to prevent someone changing the name which
used to be a directory into a link to somewhere else in the meantime. You
have to assume an attacker can make your Perl script run arbitrarily slow
(not like this is hard with Perl in the first place) and therefore can do
bad things in between the lstat and the chdir. The modification to the
GNU find I wrote (hopefully) catches any such possible attack. I have not
looked at the RedHat thing Steven mentions, so I can't comment on how well
it does in this regard.

--
Douglas Siebert                Director of Computing Facilities
douglas-siebert@uiowa.edu      Division of Mathematical Sciences, U of Iowa

If you let the system beat you long enough, eventually it'll get tired.

• Next message: Andrew Brown: "Re: Digital Unix Security Problem"
• Previous message: Olaf Titz: "Re: Vunerability in Lizards game"
• Maybe in reply to: dsiebert@ICAEN.UIOWA.EDU: "Safe /tmp cleanup"
• Next in thread: Valdis Kletnieks: "Re: Safe /tmp cleanup"