linux, säkerhet

5029802 2000-04-21  20:42  /59 rader/ Postmaster
Mottagare: Bugtraq (import) <10565>
Ärende: local user can delete arbitrary files on SuSE-Linux
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: 8BIT
Message-ID:  <Pine.LNX.4.21.0004210843510.23186-100000@gmv.spm.univ-rennes1.fr>
Date:         Fri, 21 Apr 2000 08:48:55 +0200
Reply-To: =?ISO-8859-1?Q?Peter_M=FCnster?= <peter@GMV.SPM.UNIV-RENNES1.FR>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: =?ISO-8859-1?Q?Peter_M=FCnster?= <peter@GMV.SPM.UNIV-RENNES1.FR>
X-To:         BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM

Hello, If MAX_DAYS_IN_TMP > 0 in /etc/rc.config on a SuSE-Linux
system, a local user can delete arbitrary files by doing some
commands like these: mkdir -p "/tmp/hhh /somedirectory" touch -t
some-early-date "/tmp/hhh /somedirectory/somefile" sleep 1d

The bug is in /etc/cron.daily/aaa_base for SuSE version 6.3 or perhaps
also in /root/bin/cron.daily for older SuSE versions.
Tested on SuSE 6.0 and 6.3 but probably existent on earlier versions.

Here a possible patch for suse-package aaa_base-2000.1.3-0:

--- aaa_base~	Mon Jan  3 18:16:55 2000
+++ aaa_base	Fri Apr 21 08:42:19 2000
@@ -158,20 +158,10 @@
     done

     for TMP_DIR in $TMP_DIRS_TO_CLEAR ; do
-        for DEL_FILE in `find $TMP_DIR/. $OMIT \( -type f -o -type l \) \
-                         -atime +$MAX_DAYS_IN_TMP | sort -r` ; do
-            rm -f $DEL_FILE
-            DEL_DIR=`dirname $DEL_FILE`
-            if [ "$DEL_DIR" != "$TMP_DIR/." ] ; then
-                rmdir $DEL_DIR 2> /dev/null
-            fi
-        done
-    done
-    for DEL_DIR in `find $TMP_DIR/. $OMIT \( -type d \) \
-                    -ctime +$MAX_DAYS_IN_TMP | sort -r` ; do
-        if [ "$DEL_DIR" != "$TMP_DIR/." ] ; then
-            rmdir $DEL_DIR 2> /dev/null
-        fi
+		find $TMP_DIR/. $OMIT ! -type d \
+			-atime +$MAX_DAYS_IN_TMP -exec rm -f '{}' ';'
+		find $TMP_DIR/. $OMIT -depth -type d -empty -mindepth 1 \
+			-mtime +$MAX_DAYS_IN_TMP -exec rmdir '{}' ';'
     done
 fi

Cheers, Peter

--
     Peter Münster
     http://gmv.spm.univ-rennes1.fr/~peter/
(5029802) ------------------------------------------(Ombruten)