[Pkg-sysvinit-devel] Why is noclobber used in bootclean.sh?
Miquel van Smoorenburg
miquels at cistron.nl
Mon Jan 9 18:18:39 UTC 2006
On Mon, 2006-01-09 at 16:36 +0100, Thomas Hood wrote:
> To create flag files, the functions in bootclean.sh do this:
>
> rm -f /tmp/.clean
> set -o noclobber
> :> /tmp/.clean
> set +o noclobber
>
> I am guessing that the current code aims to defend against a symlink
> attack: first the file is deleted, and then the file is created with
> "noclobber" set in case a symlink has been created in the meantime.
>
> This does ensure that no process running simultaneously can carry out
> a symlink attack; however, it does not ensure that the flag file
> actually gets created, since an attacker could put something at that
> location between the rm and :> and then delete it afterwards.
>
> Is it necessary to worry about symlink attacks in bootclean, which normally
> runs when no services are running?
I think there's a discussion somewhere in the archived bugreports. Ah
yes, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=264234 . Indeed it
appears that the noclobber isn't really nessecary (but it doesn't hurt
either).
> If it's not necessary to worry about a
> symlink attack (or if that isn't the reason for the code being the way it is),
> would it be equally good to do this:
>
> [ -f /tmp/.clean ] || :> /tmp/.clean
>
> or even:
>
> :> /tmp/.clean
>
> ? If not, why not?
Well you must definitely do the rm, since otherwise an attacker could
symlink /tmp/.clean to /etc/passwd, crash the system somehow, and then
you'd end up with a very very small password file.
Mike.
More information about the Pkg-sysvinit-devel
mailing list