Re: cvs commit: src/bin/rm rm.1 rm.c

["Simon 'corecode' Schubert" <corecode@xxxxxxxxxxxx>]

Victor Balada Diaz wrote:
> On Sat, Nov 04, 2006 at 06:26:39PM -0800, Matthew Dillon wrote:
> > dillon      2006/11/04 18:26:39 PST
> >
> > DragonFly src repository
> >
> >   Modified files:
> >     bin/rm               rm.1 rm.c 
> >   Log:
> >   Sync our rm -P option with OpenBSD - if the file has a hardlink count
> >   greater then one do not overwrite it or remove it, and issue a warning.
>
> If you use -P you know what you're doing, or at least if you use -f
> with -P. DragonFly by default allows any user to do a hard link to
> a file he doesn't own, so if you really want to delete file contents
> you must be able to.

I think in any case, rm -P should remove setuid/gid bits from the file, because if your intention originally was to completely remove the file, and suddenly it (and its links) stay arround, still with setuid set, it could be quite bad.

The situation I have in my head is (courtesy of vbd):

/home symlink to /usr/home

eviluser$ ln /usr/bin/lpr /usr/home/eviluser/tmp/lpr-faulty
# yay.  lpr-faulty is setuid root

# security advisory: vuln in lpr
root# rm -P /usr/bin/lpr
root#  # eh?  warning?  whatever, never find out where the link is
root# rm /usr/bin/lpr
root# install -mode 1555 /root/fixed-lpr /usr/bin/lpr

# one month later
eviluser$ exploit ~/tmp/lpr-fault


cheers
 simon

--
Serve - BSD     +++  RENT this banner advert  +++    ASCII Ribbon   /"\
Work - Mac      +++  space for low €€€ NOW!1  +++      Campaign     \ /
Party Enjoy Relax   |   http://dragonflybsd.org      Against  HTML   \
Dude 2c 2 the max   !   http://golden-apple.biz       Mail + News   / \

Attachment: signature.asc
Description: OpenPGP digital signature