2011-03-16 09:59:55 +0100, sean finney: > Hi Stephane, Hi Sean,
> On Tue, Mar 15, 2011 at 04:17:50PM +0000, Stephane Chazelas wrote: > > 09,39 * * * * root [ -x /usr/lib/php5/maxlifetime ] && [ -d > > /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin > > +$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm > > > when /var/lib/php5/foo/passwd has exceeded its maxlifetime but > > not the ones in /var/lib/php5/bar, assuming foo appears before > > bar, find will output /var/lib/php5/foo/passwd and then spend a > > few minutes in /var/lib/php5/bar during which the attacker can > > replace his /var/lib/php5/foo directory with a symlink to /etc. > > Then xargs will remove /etc/passwd. > > Wouldn't xargs just remove the symlink? I could see this being a > problem if xargs was putting something *into* the files, but don't > see the particular issue here. [...] No, please look carefully. It's not "passwd" that's the symlink, it's foo (to /etc). rm would remove /var/lib/php5/foo/passwd, that is it would unlink the "passwd" entry from the directory pointed to by "foo", that is "/etc". It's such a common mistake that it is documented in GNU findutils documentation which I gave a reference to. Cheers, Stephane -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
