tech-kern: Re: CRITICAL ** Holes in default cron jobs ** CRITICAL

Subject: Re: CRITICAL ** Holes in default cron jobs ** CRITICAL
To: None <tech-kern@NetBSD.ORG>
From: der Mouse <mouse@Holo.Rodents.Montreal.QC.CA>
List: tech-kern
Date: 01/01/1997 09:01:07

> One idea that I had, and I sent to greywolf, which wouldn't exactly
> work is to do the following, where xyzzy is a random string.

> umask 077
> $xyzzy=random_string()
> while (mkdir /tmp/$xyzzy) do
> 	xyzzy=random_string()
> done
> mv /tmp/* /tmp/.* /tmp/$xyzzy
> rm -rf /tmp/$xyzzy

Well, you want while ! mkdir /tmp/$xyzzy - ie, loop while it fails, but
aside from that....

> This works great if you want to remove EVERYTHING in /tmp.  I don't
> see any races in it, if done as root.

I do.  If any process has a cwd in a subdirectory of /tmp, its cwd will
move when you do the mv, and it can then walk up the tree and play all
the usual symlink games.

Of course, it may be harder to win the race against rm -rf than it was
against find | xargs rm, but it's still there.

But as you point out, it's not useful unless you want to destroy _all_
of /tmp.

					der Mouse

			       mouse@rodents.montreal.qc.ca
		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B