From mi@rtfm.ziplink.net  Sun Oct 27 23:13:19 1996
Received: from rtfm.ziplink.net ([199.232.255.52])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA06557
          for <FreeBSD-gnats-submit@freebsd.org>; Sun, 27 Oct 1996 23:13:09 -0800 (PST)
Received: (from root@localhost) by rtfm.ziplink.net (8.7.5/8.7.3) id CAA07105; Mon, 28 Oct 1996 02:10:33 -0500 (EST)
Message-Id: <199610280710.CAA07105@rtfm.ziplink.net>
Date: Mon, 28 Oct 1996 02:10:33 -0500 (EST)
From: mi@aldan.ziplink.net
Reply-To: mi@aldan.ziplink.net
To: FreeBSD-gnats-submit@freebsd.org
Subject: filenames with unusual characters and /etc/security (or find(1))
X-Send-Pr-Version: 3.2

>Number:         1910
>Category:       misc
>Synopsis:       filenames with unusual characters break /etc/security (or find(1))
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Oct 27 23:20:01 PST 1996
>Closed-Date:    Sun Feb 23 13:34:51 PST 1997
>Last-Modified:  Sun Feb 23 13:37:09 PST 1997
>Originator:     Mikhail Teterin
>Release:        2.1.5-RELEASE
>Organization:
>Environment:


>Description:

	Date: Sat, 19 Oct 1996 02:00:11 -0400 (EDT)
	From: Charlie Root <root>
	Subject: aldan security check output

	checking setuid files and devices:
	find: /root/Mail/sent mail: illegal path
	find: /root/Mail/sent mail/1: illegal path
	find: /root/Mail/sent mail/.1.summary: illegal path
	find: /root/Mail/sent mail/2: illegal path
	find: /root/News/vulisa : illegal path

	checking for uids of 0:
	root 0
	toor 0

>How-To-Repeat:

	Make a file with <<space>> in in its name, and see what happens.

>Fix:
	
	Ignore this part of /etc/security output ;) The potential threat is,
	one of THIS files may, actually, be setuid... Closer examination,
	allows to think find(1) is broken on this:

	find -X /root -type f \( -perm -u+x -or -perm -g+x -or -perm \
		-o+x \) \( -perm -u+s -or -perm -g+s \)

	leads to:
		find: /root/Mail/sent mail: illegal path
		find: /root/Mail/sent mail/1: illegal path
		find: /root/Mail/sent mail/.1.summary: illegal path
		find: /root/Mail/sent mail/2: illegal path
		find: /root/News/vulisa : illegal path

	but I am not sure.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->pst 
Responsible-Changed-By: mpp 
Responsible-Changed-When: Sat Feb 22 15:51:37 PST 1997 
Responsible-Changed-Why:  
A security officer should investigate this. 

(maybe use "find -ls" to fix it?) 
Responsible-Changed-From-To: pst->guido 
Responsible-Changed-By: mpp 
Responsible-Changed-When: Sat Feb 22 18:33:52 PST 1997 
Responsible-Changed-Why:  
Guido is now the main security oficer. 

From: Mike Pritchard <mpp>
To: freebsd-gnats-submit
Cc:  Subject: Re: misc/1910
Date: Sat, 22 Feb 1997 23:39:22 -0800 (PST)

 After looking at /etc/security & find, both are doing as they
 were told.  Find is being called by /etc/security with the "-X"
 flag, which says to not pass bogus file names to xargs.
 E.g. files with spaces in them (see the find man page for the
 full list).  
 
 However, this could infact fail to find some setuid files if they
 were hidden this way.  Perhaps calling find with "-ls" instead
 is the way to go.  Although the -ls output doesn't match
 the output that security generated by execing xargs.
 -- 
 Mike Pritchard
 mpp@FreeBSD.org
 "Go that way.  Really fast.  If something gets in your way, turn"
State-Changed-From-To: open->closed 
State-Changed-By: mpp 
State-Changed-When: Sun Feb 23 13:34:51 PST 1997 
State-Changed-Why:  
Fixed by: 

/home/ncvs/src/etc/security,v  <--  security 
new revision: 1.19; previous revision: 1.18 


Responsible-Changed-From-To: guido->freebsd-bugs 
Responsible-Changed-By: mpp 
Responsible-Changed-When: Sun Feb 23 13:34:51 PST 1997 
Responsible-Changed-Why:  
Changed back to the mailing list for list notification. 
>Unformatted:
