OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: local user can delete arbitrary files on SuSE-Linux
From: Peter Münster (peterGMV.SPM.UNIV-RENNES1.FR)
Date: Fri Apr 21 2000 - 01:48:55 CDT

Hello,
If MAX_DAYS_IN_TMP > 0 in /etc/rc.config on a SuSE-Linux system, a local
user can delete arbitrary files by doing some commands like these:
mkdir -p "/tmp/hhh /somedirectory"
touch -t some-early-date "/tmp/hhh /somedirectory/somefile"
sleep 1d

The bug is in /etc/cron.daily/aaa_base for SuSE version 6.3 or perhaps
also in /root/bin/cron.daily for older SuSE versions.
Tested on SuSE 6.0 and 6.3 but probably existent on earlier versions.

Here a possible patch for suse-package aaa_base-2000.1.3-0:

--- aaa_base~ Mon Jan 3 18:16:55 2000
+++ aaa_base Fri Apr 21 08:42:19 2000
-158,20 +158,10
     done

     for TMP_DIR in $TMP_DIRS_TO_CLEAR ; do
- for DEL_FILE in `find $TMP_DIR/. $OMIT \( -type f -o -type l \) \
- -atime +$MAX_DAYS_IN_TMP | sort -r` ; do
- rm -f $DEL_FILE
- DEL_DIR=`dirname $DEL_FILE`
- if [ "$DEL_DIR" != "$TMP_DIR/." ] ; then
- rmdir $DEL_DIR 2> /dev/null
- fi
- done
- done
- for DEL_DIR in `find $TMP_DIR/. $OMIT \( -type d \) \
- -ctime +$MAX_DAYS_IN_TMP | sort -r` ; do
- if [ "$DEL_DIR" != "$TMP_DIR/." ] ; then
- rmdir $DEL_DIR 2> /dev/null
- fi
+ find $TMP_DIR/. $OMIT ! -type d \
+ -atime +$MAX_DAYS_IN_TMP -exec rm -f '{}' ';'
+ find $TMP_DIR/. $OMIT -depth -type d -empty -mindepth 1 \
+ -mtime +$MAX_DAYS_IN_TMP -exec rmdir '{}' ';'
     done
 fi

Cheers, Peter 

--
     Peter Münster
     http://gmv.spm.univ-rennes1.fr/~peter/