Vulnerability Development mailing list archives
Re: Unix * weirdness
From: nascheme () ENME UCALGARY CA (nascheme () ENME UCALGARY CA)
Date: Sat, 1 Jan 2000 16:27:10 -0700
On Sat, Jan 01, 2000 at 02:04:37PM -0800, Blue Boar wrote:
# unlink -proc
The traditional solution is: rm ./-proc
So, I wonder what other kinds of traps can be laid for the root user or cron jobs, etc... For example, here's a line from my S05RMTMPFILES in /etc/rc2.d dir, on a Solaris 2.6 machine. (Which is where this behavior was noticed): /usr/bin/rm -rf /tmp/*
There is an old trick of putting a file called ``-i'' in your important directories. That way if you accidently do a ``rm -rf *'' you will be saved. Due to the order of expansion in the shell you can't play too many tricks on root. Something like: rm /tmp/* with a file in /tmp called ``; rm -rf ..'' will not do bad things. You can still cause lots of problems for poorly written programs. For example if you had the file mentioned above and a program that did something like: os.system("rm %s" % filename) # Python code you can imagine what would happen. I wouldn't be surprised to see code like this around.
So, if I can place an interestingly names file in /tmp (and anyone can) can I get interesting things to happen when the machine reboots.
I would hope that the scripts with your OS are more secure than that. My Debian box uses "find" with "-exec rm -rf -- {} \;".
For example, can I get a file with spaces in it? How about the | (vertical bar) character? How about a ; ?
Of course. AFAIK, the only character disallowed in Unix filenames is ``/''. NULL is probably also a problem due to C libraries. It is probably safe to assume that NULLs cannot be in filenames.
Is this a really old "feature" that everyone knows about except me?
There are always questions about this in comp.unix.shell. It is explained in the FAQ. When writing scripts, "special" characters are a pain due to the fact the Bourne shell keeps expanding parameters. The Plan 9 rc shell is much nicer in this regard. Unfortunately it is not widely used. If you are writing shell code you have to remember to quote everything. Some useful programs and options I use are: xargs -0 perl -0 find -print0 For example: find /tmp -name '*.bak' -print0 | perl -n0e unlink is pretty safe. Unfortunately I think the find and xargs options are GNU extensions. Neil -- "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - Albert Einstein
Current thread:
- Re: Unix * weirdness, (continued)
- Re: Unix * weirdness Forever shall I be. (Jan 01)
- Re: Unix * weirdness Blue Boar (Jan 01)
- Re: Unix * weirdness Warner Losh (Jan 01)
- Re: Unix * weirdness Bernie Cosell (Jan 01)
- Re: Unix * weirdness Blue Boar (Jan 01)
- iishack/tesoiis.c - What's wrong ? Ory Segal (Jan 03)
- Re: iishack/tesoiis.c - What's wrong ? Seth Georgion (Jan 03)
- Re: iishack/tesoiis.c - What's wrong ? The Underground Legendary Emperor (Jan 04)
- Re: Unix * weirdness Blue Boar (Jan 01)
- Re: Unix * weirdness Forever shall I be. (Jan 01)
- Re: Unix * weirdness Blue Boar (Jan 01)