Bugtraq mailing list archives
Re: ISS Security Advisory: Insecure call of external programs inRed Hat Linux tmpwatch
From: Adam Rice <adam () NEWSQUEST CO UK>
Date: Tue, 10 Oct 2000 09:44:44 +0100
Alfred Perlstein wrote:
2) this utility should be rewriten to just run its checks on the output from find which is a utility that's most likely smarter and proven about directory traversal than this thing.
You are wrong here. While find's directory traversal is beyond reproach, its output reflects the state of the filesystem some microseconds ago. An attacker could have changed everything in the meantime. find cannot be used in untrusted environments. This has been discussed extensively on Bugtraq in the past, so I won't go into detail now. Adam Rice
Current thread:
- ISS Security Advisory: Insecure call of external programs in Red Hat Linux tmpwatch X-Force (Oct 08)
- Re: ISS Security Advisory: Insecure call of external programs in Red Hat Linux tmpwatch Alfred Perlstein (Oct 09)
- Re: ISS Security Advisory: Insecure call of external programs inRed Hat Linux tmpwatch Adam Rice (Oct 10)
- Re: ISS Security Advisory: Insecure call of external programs in Red Hat Linux tmpwatch Alfred Perlstein (Oct 09)