#71663 tmpreaper should change to the starting directory in a secure way

Package:
tmpreaper
Source:
tmpreaper
Description:
cleans up files in directories based on their age
Submitter:
Roderich Schupp
Date:
2005-07-18 03:45:40 UTC
Severity:
wishlist
#71663#5
Date:
2000-09-14 12:21:09 UTC
From:
To:
Hi,
the whole purpose of tmpreaper is to traverse a filesystem subtree
(and remove old files there) in a secure way, avoiding
the security holes in `find /dir ... -exec rm {} \;´
It is however very lax in the handling of the top level directory
(the one given on the command line). It simply does a chdir
on startup. Sure, there is the check whether the top is a symlink.
But that doesn't cover the case where there are symlinks
on the path from the root to the top. Even the symlink check
is bogus, since there is the obvious race between the lstat and the chdir.

I stumbled over this when I wanted to use tmpreaper to periodically
clean up a certain subdirectory in my users' home directories (it's kinda
trashcan directory for a version control system that sometimes
fills up with junk without the user noticing it). Since
/home/jluser/.junk is definitely not under my control (as opposed
to /tmp, say) I cannot be sure that invoking tmpreaper on it
wouldn't open a security hole.

So I propose that tmpreaper do the following:
chdir(/) and then proceed with its normal algorithm
down to the top level directory (refusing to cross symlinks,
checking device/inode number before and after chdir).

If the maintainer thinks this would be usefull feature,
I'll whip up patch.

Cheers, Roderich

#71663#10
Date:
2000-09-14 18:11:37 UTC
From:
To:
One way of avoiding this would be to do:

    su jluser tmpreaper ...

so that jluser's directory is cleaned with his UID.
An alternative would be to add a --uid flag to tmpreaper for
the UID to run under, what do you think?

Yes, please!


Paul Slootman

#71663#15
Date:
2001-06-02 22:50:07 UTC
From:
To:
Sorry for ignoring this up to now, wasn't intentional. Somehow other
things (isdnutils) got in the way...

I've been looking at your patch, but I don't see how it avoids symlink
components... Also, I've heard that many people have /tmp symlinked to
/var/tmp, and use /tmp/. as the starting point (which will not work if
symlinks are checked for) so perhaps symlinks in the root directory
should be allowed at least? If you can't control what goes into the root
directory, then you have other problems :-)  Or perhaps even allow
symlinks in directories owned by root which are only writeable by root?

Also I don't see anything about the "checking device/inode number before
and after chdir" that you wrote in the first message...


Could you please elaborate on this?


Thanks,
Paul Slootman

#71663#20
Date:
2001-06-02 23:03:30 UTC
From:
To:
Thank you for the additional information you have supplied regarding
this problem report.  It has been forwarded to the developer(s) and
to the developers mailing list to accompany the original report.

Your message has been sent to the package maintainer(s):
 Paul Slootman <paul@debian.org>

If you wish to continue to submit further information on your problem,
please send it to 71663@bugs.debian.org, as before.

Please do not reply to the address at the top of this message,
unless you wish to report a problem with the Bug-tracking system.

Darren Benham
(administrator, Debian Bugs database)