cvs commit: src/bin/rm rm.1 rm.c

Simon 'corecode' Schubert corecode at fs.ei.tum.de
Sun Nov 5 02:29:15 PST 2006


Victor Balada Diaz wrote:
On Sat, Nov 04, 2006 at 06:26:39PM -0800, Matthew Dillon wrote:
dillon      2006/11/04 18:26:39 PST

DragonFly src repository

  Modified files:
    bin/rm               rm.1 rm.c 
  Log:
  Sync our rm -P option with OpenBSD - if the file has a hardlink count
  greater then one do not overwrite it or remove it, and issue a warning.
If you use -P you know what you're doing, or at least if you use -f
with -P. DragonFly by default allows any user to do a hard link to
a file he doesn't own, so if you really want to delete file contents
you must be able to.
I think in any case, rm -P should remove setuid/gid bits from the file, because if your intention originally was to completely remove the file, and suddenly it (and its links) stay arround, still with setuid set, it could be quite bad.

The situation I have in my head is (courtesy of vbd):

/home symlink to /usr/home

eviluser$ ln /usr/bin/lpr /usr/home/eviluser/tmp/lpr-faulty
# yay.  lpr-faulty is setuid root
# security advisory: vuln in lpr
root# rm -P /usr/bin/lpr
root#  # eh?  warning?  whatever, never find out where the link is
root# rm /usr/bin/lpr
root# install -mode 1555 /root/fixed-lpr /usr/bin/lpr
# one month later
eviluser$ exploit ~/tmp/lpr-fault
cheers
 simon
--
Serve - BSD     +++  RENT this banner advert  +++    ASCII Ribbon   /"\
Work - Mac      +++  space for low €€€ NOW!1  +++      Campaign     \ /
Party Enjoy Relax   |   http://dragonflybsd.org      Against  HTML   \
Dude 2c 2 the max   !   http://golden-apple.biz       Mail + News   / \
Attachment:
signature.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pgp00002.pgp
Type: application/octet-stream
Size: 252 bytes
Desc: "Description: OpenPGP digital signature"
URL: <http://lists.dragonflybsd.org/pipermail/commits/attachments/20061105/54957fe1/attachment-0022.obj>


More information about the Commits mailing list