[2584] in bugtraq
Re: [linux-security] Things NOT to put in root's crontab
daemon@ATHENA.MIT.EDU (Philip Guenther)
Wed May 22 23:36:56 1996
Date: Wed, 22 May 1996 19:10:05 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Philip Guenther <guenther@gac.edu>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: Your message of "Wed, 22 May 1996 14:20:41 CDT."
<199605221917.AA10964@gateway.fedex.com>
William McVey <wam@fedex.com> writes:
>Dan Cross wrote:
>>I was under the impression that find(1) didn't follow symbolic links?
>>Thus, one wouldn't ``find'' /etc/passwd if there was a link to /etc
>>from somewhere in /tmp.
>
>The exposure comes from a race condition between when find has
>decended into a real directory (expected behavior) and when the
>'rm' is forked (expected behavior). If between these two tasks a
>real directory is replaced with a symlink (unexepected behavior)
>you are going to have problems.
The race condition in find should be eliminatible by using fchdir()
and passing the '-exec'ed command a simple filename. You have to keep
open one descriptor for each level descended which should max out at
MAXPATHLEN/2. That should be within the bounds of modern UNIX systems.
In pseudocode:
cur = open argv[1];
fchdir(cur);
do_dir(cur);
do_dir(int cur) {
foreach file in "." {
int fd = open file;
do_stuff_from_command_line;
if ISDIR(fstat fd) {
fchdir(fd);
do_dir(fd);
fchdir(cur);
}
}
}
Philip Guenther
