Subject: Re: security/7060: find and rm
To: Dave Sainty <dave@dtsp.co.nz>
From: Richard Earnshaw <rearnsha@arm.com>
List: netbsd-bugs
Date: 03/01/1999 13:12:04
> Chris Jones writes:
>
> > >Number: 7060
> > >Category: security
> > >Synopsis: find and rm
> > >Confidential: no
> > >Severity: serious
> > >Priority: medium
> > >Responsible: security-officer (NetBSD Security Officer)
> > >State: open
> > >Class: change-request
> > >Submitter-Id: net
> > >Arrival-Date: Sat Feb 27 22:50:00 1999
> > >Last-Modified:
> > >Originator: Chris Jones
> > >Release: Feb 23, 1999
> > >Environment:
> >
> > >Description:
> > NetBSD has had a problem with find and rm in the daily script for a
> > while. As I understand it, the issue is a race condition: Find is
> > trying to remove files that match certain criteria, but there is a
> > race condition between the time when it runs stat on a file and when
> > it (or rm) unlinks the file.
>
> This problem is pretty much exclusive to interactions with find(1).
> Maybe find(1) should be enhanced with a feature to chdir() to the
> directory securely before executing the command, and then just pass
> the unqualified filename to the command.
>
> Because, after all, the problem is not just restricted to destructive
> operations.
>
> The flag to rm(1) would be useful in some but very few cases, and the
> function could be implemented within rm instead of as a system call.
> It would just be more expensive that way (rm would have to traverse
> the path itself, stating as it went). But adding new system calls
> seems..... too much....
>
Hm, why not add a -rm option to find. Then there can be no race, since we
can bypass the inode->filename->inode translation (which is the root cause
of the hole).