[2581] in bugtraq
Re: [linux-security] Things NOT to put in root's crontab
daemon@ATHENA.MIT.EDU (Mike Kienenberger)
Wed May 22 18:36:48 1996
Date: Wed, 22 May 1996 11:23:53 -0800
Reply-To: mkienenb@arsc.edu
From: Mike Kienenberger <mkienenb@arsc.edu>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <199605221724.NAA03201@hausdorff.math.psu.edu>
On Wed, 22 May 1996, Dan Cross wrote:
> I was under the impression that find(1) didn't follow symbolic links?
> Thus, one wouldn't ``find'' /etc/passwd if there was a link to /etc
> from somewhere in /tmp.
>
> Please don't tell me that Linux (or, more precisely, GNU) broke this. :-)
No, the problem is that while find won't follow a symbolic link,
it's possible make a really really really long path to a file,
then while that path is being followed by find, you can rename the top-level
directory and just leave a symbolic link for the -exec command. In this case,
rm.
Ie, create a real path of a/a/a/a/a/a/a/a/a/a/a/a/a/etc/passwd
Then create a path of b/a/a/a/a/a/a/a/a/a/a/a/a/etc
where etc is actually a link to /etc/,
then after find starts down a/a/a/a/, rename a to c, and b to a.
Now after the find command completes processing of passwd, rm will
pick up on the new a (formerly b) path.
---
Mike Kienenberger Arctic Region Supercomputing Center
Systems Analyst (907) 474-6842
mkienenb@arsc.edu http://www.arsc.edu
