Subject: Re: CRITICAL ** Holes in default cron jobs ** CRITICAL
To: None <current-users@NetBSD.ORG>
From: der Mouse <mouse@Holo.Rodents.Montreal.QC.CA>
List: current-users
Date: 12/30/1996 15:21:14
> I'd like to suggest that we generalize the solution by making all the
> rm commands only remove files owned by root,bin,daemon.

I'd assume you mean _not_ remove such files. :-)

> All those simply generate a warning to root.  Perhaps with a script
> to do the actual rm squirrelled away somewhere.

Unless you put the check in the kernel, as part of unlink(), it's
vulnerable to racing between the check and the unlink, more or less the
same race as we've been talking about here.  And if you do put the
check in the kernel...that means having the kernel know what UIDs are
"special", which is pretty gross.  (It's bad enough having it know
about UID 0 specially.)  And of course it doesn't affect anything but
unlink()....

To be sure, teaching the kernel about multiple special UIDs is
something I've been meaning to do, but in a more general context, not
just a special case for unlink().

					der Mouse

			       mouse@rodents.montreal.qc.ca
		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B