Bugtraq mailing list archives
Race condition in "rm -r"
From: terra () DIKU DK (Morten Welinder)
Date: Wed, 3 May 2000 16:13:23 +0200
Synopsis: If root ever does "rm -rf /tmp/foo" for a directory structure not completely owned by root, a local user can delete all files that root can. Such deletions are common for (a) /tmp cleanup and (b) before creating a specific directory in /tmp/. Details: "rm -r" implementations (Solaris 7, Gnu 4.0 checked) walk the directories, lstats files, and chdirs into directories (and recurs). Oh, and deletes stuff, of course. It is possible to replace a directory by a symlink, say "/", and have rm cheerfully follow it. The race window is small -- it will take thousands upon thousands of tries. Moreover, since the racing involves rmdir -- which typically is not very fast -- you'll need patience and "nice" and any other help you can get. Solutions: Maybe stat "." after chdir to verify that we ended up the expected place? Also affected: chmod, chown, chgrp. (Probably; this is guesswork.)
Current thread:
- Re: Windows NT/95/98/Possible Others Denial of Service Attack. Mi crosoft ODBC Database connectivity flaw. Daniel Docekal (May 01)
- SuSE Security Announcement - aaa_base - UPDATE Marc Heuse (May 02)
- Race condition in "rm -r" Morten Welinder (May 03)
- Re: Race condition in "rm -r" Glynn Clements (May 06)
- Re: Race condition in "rm -r" David Brownlee (May 07)
- Re: Race condition in "rm -r" Glynn Clements (May 07)
- Re: Race condition in "rm -r" David Brownlee (May 08)
- Race condition in "rm -r" Morten Welinder (May 03)
- Re: Race condition in "rm -r" Alex Belits (May 07)
- Re: Race condition in "rm -r" Glynn Clements (May 07)
- SuSE Security Announcement - aaa_base - UPDATE Marc Heuse (May 02)
- Ipchains! Dimuthu Parussalla (May 07)
- Re: Ipchains! Paul D. Carlucci (May 10)
- Prevent Current and Future E-Mail Worms AXENT Security Team (May 12)
- Cisco Security Advisory: Cisco IOS HTTP Server Vulnerability Cisco Systems Product Security Incident Response Team (May 15)