Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [linux-security] Things NOT to put in root's crontab

From: guenther () gac edu (Philip Guenther)
Date: Wed, 22 May 1996 19:10:05 -0500

William McVey <wam () fedex com> writes:

Dan Cross wrote:

I was under the impression that find(1) didn't follow symbolic links?
Thus, one wouldn't ``find'' /etc/passwd if there was a link to /etc
from somewhere in /tmp.


The exposure comes from a race condition between when find has
decended into a real directory (expected behavior) and when the
'rm' is forked (expected behavior).  If between these two tasks a
real directory is replaced with a symlink (unexepected behavior)
you are going to have problems.


The race condition in find should be eliminatible by using fchdir()
and passing the '-exec'ed command a simple filename.  You have to keep
open one descriptor for each level descended which should max out at
MAXPATHLEN/2.  That should be within the bounds of modern UNIX systems.
In pseudocode:


cur = open argv[1];
fchdir(cur);
do_dir(cur);

do_dir(int cur) {
    foreach file in "." {
        int fd = open file;
        do_stuff_from_command_line;
        if ISDIR(fstat fd) {
            fchdir(fd);
            do_dir(fd);
            fchdir(cur);
        }
    }
}


Philip Guenther
Previous By Date Next
Previous By Thread Next

Current thread: