Vulnerability Development mailing list archives

Re: Unix * weirdness

From: nascheme () ENME UCALGARY CA (nascheme () ENME UCALGARY CA)
Date: Sat, 1 Jan 2000 16:27:10 -0700


On Sat, Jan 01, 2000 at 02:04:37PM -0800, Blue Boar wrote:

# unlink -proc


The traditional solution is:

    rm ./-proc

So, I wonder what other kinds of traps can be laid for the root
user or cron jobs, etc...  For example, here's a line from my
S05RMTMPFILES in /etc/rc2.d dir, on a Solaris 2.6 machine.
(Which is where this behavior was noticed):

/usr/bin/rm -rf /tmp/*


There is an old trick of putting a file called ``-i'' in your
important directories.  That way if you accidently do a ``rm -rf
*'' you will be saved.

Due to the order of expansion in the shell you can't play too
many tricks on root.  Something like:

    rm /tmp/*

with a file in /tmp called ``; rm -rf ..'' will not do bad
things.  You can still cause lots of problems for poorly written
programs.  For example if you had the file mentioned above and a
program that did something like:

    os.system("rm %s" % filename) # Python code

you can imagine what would happen.  I wouldn't be surprised to
see code like this around.

So, if I can place an interestingly names file in /tmp
(and anyone can) can I get interesting things to happen
when the machine reboots.


I would hope that the scripts with your OS are more secure than
that.  My Debian box uses "find" with "-exec rm -rf -- {} \;".

For example, can I get a file with spaces in it?  How about
the | (vertical bar) character?  How about a ; ?


Of course.  AFAIK, the only character disallowed in Unix
filenames is ``/''.  NULL is probably also a problem due to C
libraries.  It is probably safe to assume that NULLs cannot be in
filenames.

Is this a really old "feature" that everyone knows about except me?


There are always questions about this in comp.unix.shell.  It is
explained in the FAQ.

When writing scripts, "special" characters are a pain due to the
fact the Bourne shell keeps expanding parameters.  The Plan 9 rc
shell is much nicer in this regard.  Unfortunately it is not
widely used.  If you are writing shell code you have to remember
to quote everything.  Some useful programs and options I use are:

    xargs -0
    perl -0
    find -print0

For example:

    find /tmp -name '*.bak' -print0 | perl -n0e unlink

is pretty safe.  Unfortunately I think the find and xargs options
are GNU extensions.

    Neil

--
"Only two things are infinite, the universe and human stupidity, and
I'm not sure about the former."   - Albert Einstein

Current thread:

Re: Unix * weirdness, (continued)
- Re: Unix * weirdness Forever shall I be. (Jan 01)
  - Re: Unix * weirdness Blue Boar (Jan 01)
    - Re: Unix * weirdness Warner Losh (Jan 01)
    - Re: Unix * weirdness Bernie Cosell (Jan 01)
    - Re: Unix * weirdness Blue Boar (Jan 01)
    - iishack/tesoiis.c - What's wrong ? Ory Segal (Jan 03)
    - Re: iishack/tesoiis.c - What's wrong ? Seth Georgion (Jan 03)
    - Re: iishack/tesoiis.c - What's wrong ? The Underground Legendary Emperor (Jan 04)
- Re: Unix * weirdness Andrew W. Flury (Jan 01)
  - Re: Unix * weirdness Blue Boar (Jan 01)
- Re: Unix * weirdness nascheme () ENME UCALGARY CA (Jan 01)
- Re: Unix * weirdness Pierre Belanger (Jan 01)
- Re: Unix * weirdness Scott Hardy (Jan 01)
- Re: Unix * weirdness Antonomasia (Jan 01)