Re: Safe /tmp cleanup

Steven Leikeim (steven@ENEL.UCALGARY.CA)
Wed, 12 Nov 1997 10:48:59 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Alex Murray: "Re: Vunerability in Lizards game"
Previous message: sp00n: "Bug In Security Dynamics' FTP server (Version 2.2)"
Maybe in reply to: dsiebert@ICAEN.UIOWA.EDU: "Safe /tmp cleanup"
Next in thread: Randal Schwartz: "Re: Safe /tmp cleanup"

dsiebert@ICAEN.UIOWA.EDU writes
>
> There was a thread in Bugtraq a couple months ago about safe cleanup of
> /tmp and other publicly-writable directories. The problem is with the
> traditional cleanup along the lines of:
>
> find /tmp -someoptions -print | xargs rm -moreoptions
>
> An attacker can create conditions using deep directories and symbolic
> links that will cause this command to delete any arbitrary file on the
> filesystem. See the archives for more info.
>
> This started a long discussion, and only two good solutions were proposed
> to my recollection. One, someone had a Perl script named "saferm" which
> did an insane amount of sanity checking to verify the path was correct.
> Two, it was proposed that the find command itself should handle this.
> The Perl script is quite slow and overly complex, I wanted a better
> solution. I took a look at the GNU archive to see if they had a find
> command which might already have such an option. They had a find command
> which hasn't been updated for about three years, which had no such option.
> But the source is very easy to read and modify so it was a simple matter
> to add a "-delete" option myself. I also noticed and fixed a bug that
> caused incorrect results when using the "-depth" option in some cases
> (those of you with Linux boxes, which use the GNU find, can try: "find /var
> -depth -empty" and you'll see what I mean) This was important to do since
> you need the -depth option to work for -delete to really work (-delete
> implies -depth in my code)

There is another option.

In Red Hat Linux 4.2, there is a package called tmpwatch. Here is the
first part of the man page:

NAME
tmpwatch - removes files which haven't been accessed for a period
of time

SYNOPSIS
tmpwatch [-fav] [--verbose] [--force] [--all] [--test] <hours>
<dirs>

DESCRIPTION
tmpwatch recursively removes files which haven't been accessed
for a given number of hours. Normally, it's used to clean up
directories which are used for temporary holding space such as
/tmp.

When changing directories, tmpwatch is very sensitive to possible
race conditions and will exit with an error if one is detected.
It does not follow symbolic links in the directories it's clean-
ing (even if a symbolic link is given as its argument), will not
switch filesystems, and only removes empty directories and regular
files.

The source for this program is 294 lines of C (including comments). Enough care
seems to have been taken to avoid race hazards and my limited examination of
code satisfied me that there are no security problems with it. Specfically,
the program does everything itself, it does not rely on an external program for
any function which should eliminate problems associated with special characters
and/or buffer overflows due to deep paths.

The version that I have (tmpwatch-1.2-1.src.rpm) can be found at:

ftp://wuarchive.wustl.edu/systems/linux/redhat/redhat-4.2/SPRMS/tmpwatch-1.2.1-1.rpm

Steven Leikeim
Department of Electrical and Computer Engineering
University of Calgary
Calgary, Alberta

Phone: (403) 220-5373
Fax: (403) 282-6855

Next message: Alex Murray: "Re: Vunerability in Lizards game"
Previous message: sp00n: "Bug In Security Dynamics' FTP server (Version 2.2)"
Maybe in reply to: dsiebert@ICAEN.UIOWA.EDU: "Safe /tmp cleanup"
Next in thread: Randal Schwartz: "Re: Safe /tmp cleanup"