Re: [linux-security] Things NOT to put in root's crontab

der Mouse (mouse@Collatz.McRCIM.McGill.EDU)
Wed, 22 May 1996 15:28:14 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Christopher D. McCann: "Re: [linux-security] Things NOT to put in root's crontab"
Previous message: Doug Hughes: "Re: Denial of Service Attacks INFO"
Maybe in reply to: Zygo Blaxell: "[linux-security] Things NOT to put in root's crontab"
Next in thread: Christopher D. McCann: "Re: [linux-security] Things NOT to put in root's crontab"

> I was under the impression that find(1) didn't follow symbolic links?
> Thus, one wouldn't ``find'' /etc/passwd if there was a link to /etc
> from somewhere in /tmp.

Right.  Except that this hole is not quite that simple.  It's actually
Yet Another Race, but in this case the attacker can rig things to make
the race easy to win.

Basically, what it's doing is, arranging that when find looks, it's not
a symlink, but by the time rm's unlink(2) call looks, it has changed
and now is a symlink.

Just another race, looking at a pathname once at time T and once at
time T+1, depending on the pathname to refer to the same thing both
times.  (Lots of races fit this description....)

                                        der Mouse

                            mouse@collatz.mcrcim.mcgill.edu

Next message: Christopher D. McCann: "Re: [linux-security] Things NOT to put in root's crontab"
Previous message: Doug Hughes: "Re: Denial of Service Attacks INFO"
Maybe in reply to: Zygo Blaxell: "[linux-security] Things NOT to put in root's crontab"
Next in thread: Christopher D. McCann: "Re: [linux-security] Things NOT to put in root's crontab"