On Tue, 2011-05-17 at 15:06 -0400, seth vidal wrote:
On Tue, 2011-05-17 at 18:59 +0200, Jan-Frode Myklebust wrote:
> On Tue, May 17, 2011 at 08:23:31AM -0400, seth vidal wrote:
> > >
> > > # clean up all but the last 1 month of puppet reports
> > > -/usr/sbin/tmpwatch --mtime 720 /var/lib/puppet/reports/
> > > +/sbin/runuser -s /bin/sh - puppet -c "/usr/sbin/tmpwatch --mtime 720
/var/lib/
>
> (scary how git diff cuts lines at end of terminal..)
I suspect git did not - but I cut and pasted it badly.
I was thinking about this more and looked up something I remembered from
tmpwatch:
"When changing directories, tmpwatch is very sensitive to possible race
conditions and will exit with an error if one is detected. It does not
follow symbolic links in the directories it's cleaning (even if a sym‐
bolic link is given as its argument), will not switch filesystems,
skips lost+found directories owned by the root user, and only removes
empty directories, regular files, and symbolic links."
So at best it will remove the symlink but not what the symlink points
to.
I could add --nosymlinks if I wanted it to ignore them entirely, but it
won't traverse them.
> It guards against symlink attack by anyone who can run something
as
> user "puppet" and replace /var/lib/puppet/reports/ with a symlink to
> somewhere else (/).
so in answer to this - no in fact, tmpwatch can't be exploited that way.
-sv