[Pkg-sysvinit-devel] Why is noclobber used in bootclean.sh?

Thomas Hood jdthood at yahoo.co.uk
Mon Jan 9 15:36:31 UTC 2006


To create flag files, the functions in bootclean.sh do this:

    rm -f /tmp/.clean
    set -o noclobber
    :> /tmp/.clean
    set +o noclobber

I am guessing that the current code aims to defend against a symlink
attack: first the file is deleted, and then the file is created with
"noclobber" set in case a symlink has been created in the meantime.

This does ensure that no process running simultaneously can carry out
a symlink attack; however, it does not ensure that the flag file
actually gets created, since an attacker could put something at that
location between the rm and :> and then delete it afterwards.

Is it necessary to worry about symlink attacks in bootclean, which normally
runs when no services are running?  If it's not necessary to worry about a
symlink attack (or if that isn't the reason for the code being the way it is),
would it be equally good to do this:

    [ -f /tmp/.clean ] || :> /tmp/.clean

or even:

    :> /tmp/.clean

?  If not, why not?
-- 
Thomas



More information about the Pkg-sysvinit-devel mailing list