compress old puppet reports
Jan-Frode Myklebust
janfrode at tanso.net
Tue May 17 22:18:58 UTC 2011
On Tue, May 17, 2011 at 04:35:00PM -0400, seth vidal wrote:
>
> "When changing directories, tmpwatch is very sensitive to possible race
> conditions and will exit with an error if one is detected. It does not
> follow symbolic links in the directories it's cleaning (even if a sym‐
> bolic link is given as its argument), will not switch filesystems,
> skips lost+found directories owned by the root user, and only removes
> empty directories, regular files, and symbolic links."
Not sure if this is a documentation or code bug, but this doesn't
seem true on the two RHEL5/6 systems I just tested..
> > > It guards against symlink attack by anyone who can run something as
> > > user "puppet" and replace /var/lib/puppet/reports/ with a symlink to
> > > somewhere else (/).
>
> so in answer to this - no in fact, tmpwatch can't be exploited that way.
>
$ rpm -q tmpwatch
tmpwatch-2.9.16-3.el6.x86_64
$ ln -s /etc/ /var/tmp/test
$ /usr/sbin/tmpwatch --mtime 720 --test /var/tmp/test/
removing file /etc/csh.login
removing file /etc/gimp/2.0/unitrc
removing file /etc/gimp/2.0/sessionrc
removing file /etc/gimp/2.0/controllerrc
removing file /etc/gimp/2.0/menurc
removing file /etc/gimp/2.0/gimprc
removing file /etc/gimp/2.0/gtkrc
<snip>
-jf
More information about the infrastructure
mailing list