From larse@nik.isi.edu  Fri Oct 24 16:43:41 2003
Return-Path: <larse@nik.isi.edu>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B5B2E16A4B3
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 24 Oct 2003 16:43:38 -0700 (PDT)
Received: from nik.isi.edu (nik.isi.edu [128.9.168.58])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0B7E643FB1
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 24 Oct 2003 16:43:38 -0700 (PDT)
	(envelope-from larse@nik.isi.edu)
Received: from nik.isi.edu (localhost [127.0.0.1])
	by nik.isi.edu (8.12.10/8.12.10) with ESMTP id h9ONhb0Z003789
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 24 Oct 2003 16:43:37 -0700 (PDT)
	(envelope-from larse@nik.isi.edu)
Received: (from larse@localhost)
	by nik.isi.edu (8.12.10/8.12.10/Submit) id h9ONhb3S003788;
	Fri, 24 Oct 2003 16:43:37 -0700 (PDT)
	(envelope-from larse)
Message-Id: <200310242343.h9ONhb3S003788@nik.isi.edu>
Date: Fri, 24 Oct 2003 16:43:37 -0700 (PDT)
From: Lars Eggert <larse@isi.edu>
Reply-To: Lars Eggert <larse@isi.edu>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: /etc/periodic/daily/100.clean-disks traverses non-local file systems
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         58504
>Category:       conf
>Synopsis:       [patch] /etc/periodic/daily/100.clean-disks traverses non-local file systems
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Oct 24 16:50:24 PDT 2003
>Closed-Date:    Sun Nov 13 08:06:07 GMT 2005
>Last-Modified:  Sun Nov 13 08:06:07 GMT 2005
>Originator:     Lars Eggert
>Release:        FreeBSD 5.1-CURRENT i386
>Organization:
>Environment:
System: FreeBSD nik.isi.edu 5.1-CURRENT FreeBSD 5.1-CURRENT #0: Fri Oct 24 13:47:51 PDT 2003 root@nik.isi.edu:/usr/obj/usr/src/sys/KERNEL-1.32 i386


	
>Description:
The find(1) command in /etc/periodic/daily/100.clean-disks traverses
non-local and read-only file systems, despite a carefully crafted
argument string that tries to avoid this.

This bug is probably due to a deficiency in find(1). When called with
"-delete", find(1) switches to depth-first traversal, according to the
man page:

     -delete
             Delete found files and/or directories. Always returns
             true. This executes from the current working directory as
             find recurses down the tree. It will not attempt to
             delete a filename with a ``/'' character in its pathname
             relative to ``.'' for security reasons. Depth-first
                                                     ^^^^^^^^^^^
             traversal processing is implied by this option.
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

However, in depth-first traversal mode, the "-prune" switch has no
effect, causing traversal of non-local and read-only file systems.
Again, from the find(1) man page:

     -prune  
             This primary always evaluates to true. It causes find to
             not descend into the current file. Note, the -prune
                                                ^^^^^^^^^^^^^^^^
             primary has no effect if the -d option was specified.
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

("-d" is a synonym for "-depth")

Removing "-delete" causes correct behavior, and non-local and
read-only file systems are not traversed. Obviously, this is not a
work around, because no files will be deleted, but it proves the
point of the argument.

>How-To-Repeat:
Run /etc/periodic/daily/100.clean-disks with read-only or non-local
file systems present.

	
>Fix:
This seems to fix it, but doesn't support $daily_clean_disks_verbose yet.

Index: 100.clean-disks
===================================================================
RCS file: /home/xbone/CVSROOT/FreeBSD-CURRENT-etc/periodic/daily/100.clean-disks,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 100.clean-disks
--- 100.clean-disks	21 Sep 2002 00:26:56 -0000	1.1.1.1
+++ 100.clean-disks	24 Oct 2003 23:42:23 -0000
@@ -42,7 +42,7 @@
 	    esac
 
 	    rc=$(find / \( ! -fstype local -o -fstype rdonly \) -a -prune -o \
-		\( $args \) -atime +$daily_clean_disks_days -delete $print |
+		\( $args \) -atime +$daily_clean_disks_days -print0 | xargs -0 rm -v |
 		tee /dev/stderr | wc -l)
 	    [ -z "$print" ] && rc=0
 	    [ $rc -gt 1 ] && rc=1

	


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->suspended 
State-Changed-By: linimon 
State-Changed-When: Sun Nov 13 07:59:16 GMT 2005 
State-Changed-Why:  
Original submitter claimed the patch needed more work. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=58504 
State-Changed-From-To: suspended->closed 
State-Changed-By: linimon 
State-Changed-When: Sun Nov 13 08:05:24 GMT 2005 
State-Changed-Why:  
Submitter's email address bounces. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=58504 
>Unformatted:
This fix shouldn't be applied... it introduces a race condition (between
when the file is found and when rm tries to remove it) that can be abused
so that the attacker can choose the files that will be deleted with the
well timed replacement of a file with a symlink.
