old-www/LDP/LG/issue20/followup.html

<!--startcut ==========================================================-->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<title>Cleaning up your /tmp -- Revisited Issue 20</title>
</HEAD>
<BODY BGCOLOR="#EEE1CC" TEXT="#000000" LINK="#0000FF" VLINK="#0020F0"
ALINK="#FF0000">
<!--endcut ============================================================-->

<H4>
&quot;Linux Gazette...<I>making Linux just a little more fun!</I>&quot;
</H4>

<P> <HR> <P> 
<!--===================================================================-->

<center>
<H2>Cleaning up you /tmp -- Revisited</H2>
<H4>By Guy Geens,
<a href="mailto:ggeens@iname.com">ggeens@iname.com</a></H4>
</center>
<P><HR>

<p><I>In issue 18, I described how to avoid certain security risks when
removing files from your <tt>/tmp</tt> directory.
I have received some letters as feedback, and I'll summarize the
issues here.
Some people said they didn't need the extra security. Well, they're
free <em>not</em> to use my script.</I> 

<h2>mtime vs. atime</h2>

<p>Michael Veksler <tt>&lt;mveksler@VNET.IBM.COM&gt;</tt> told me he
was worried about the use of the access time to determine the file's
age. His main concern was that files could be ``accidently'' touched
by
<pre>
find ... | xargs grep ...
</pre>
constructions. Personally, I don't have this problem, as I tend to
restrict the domain of my <tt>find</tt> sweeps.

<p>As I said in my first article, it's a personal taste. I frequently
unpack archives in my <tt>/tmp</tt> hierarchy. And I want to be
certain the files will stay there until I don't need them anymore.

<p>To me, 3 days after last looking at the file seems a reasonable
delay for that.

<p>But recently, I started using <tt>afio</tt> for transporting files
that won't fit on one floppy. And <tt>afio</tt> Remembers the access
time during archiving, and also sets this date while unpacking. This
could limit the lifespan of my files if I don't look at them
immediately. (As a sidenote, <tt>zip</tt> also sets the access time.)

<p>Obviously, there is one other possibility I neglected: using ctime
(inode change time). It is not possible to set this to an arbitrary
value, and it doesn't change as easily as the access time.

<h2>Avoiding perl</h2>

<p>Perl has a rather large memory footprint, and is not available on
every site. Therefore, Francois Wautier <
suggested:
<pre>
cp -p /bin/rm-static /usr/bin/find-static /tmp
chroot /tmp /find-static ... -exec /rm-static {} \;
rm /tmp/rm-static /tmp/find-static
</pre>

<p><tt>rm-static</tt> and <tt>find-static</tt> are statically compiled
versions of <tt>rm</tt> and <tt>find</tt>, respectively. The
<tt>-p</tt> flag ensures the resulting binary is owned by
<tt>root</tt>, closing one security risk. (A user might have created
her own <tt>/tmp/rm-static</tt> with the intend of changing the binary.)

<p>This gives rise to a new set of race conditions, although they
aren't as easy to exploit as the
<pre>
find ... | xargs rm
</pre>
security hole described in my first article.

<p>In general, I would advise against executing arbitrary files with
<tt>root</tt> permissions, especially if they are residing in a
publicly writeable directory (like <tt>/tmp</tt>). (It is also related
to the reason why `<tt>.</tt>' should never be in <tt>root</tt>'s path.

<p>This leads me to a real security risk:

<h2>Perl's internals</h2>

<p>(This one I found myself.)

<p>I recently upgraded to perl 5.004. After the upgrade, I noticed my
<tt>cleantmp</tt> script started emitting warnings about not finding
the <tt>pwd</tt> program.

<p>I looked into the perl module code, and it uses <tt>pwd</tt> to
determine the current directory.

<p>The script itself doesn't have problems with the missing binary, as
I'm using absolute paths everywhere. But it opens a <b>huge</b>
security hole: An executable called <tt>pwd</tt> in the right place in
the <tt>/tmp</tt> tree can give a user a process executing with
<tt>root</tt> permissions.

<p>In this case, the <tt>chroot</tt> <em>decreases</em> security,
instead of increasing it.

<p>For this reason, I have decided to remove the <tt>chroot</tt> from
the script entirely. That way, I can be sure only trusted binaries are
executed.

<h2>Omitting certain files and directories</h2>

<p>In the first version of my script, I demonstrated how to exclude
some files from being deleted. I obviously forgot one thing: a user
could create files or directories with the same names, and they would
never be deleted.

<p>The solution is easy: test the owner of the file, and if it isn't
<tt>root</tt>, just delete the file.

<h2>cleantmp, version 2</h2>

<p>Here is a <a href="cleantmp2.0">link</a> to the new script.
Comments are welcome.

<hr>
<address>
<a href="mailto:ggeens@iname.com">Guy Geens</a>
</address>

<!--===================================================================-->
<P> <hr> <P> 
<center><H5>Copyright &copy; 1997, Guy Geens<BR> 
Published in Issue 20 of the Linux Gazette, August 1997</H5></center>

<!--===================================================================-->
<P> <hr> <P> 
<A HREF="./index.html"><IMG ALIGN=BOTTOM SRC="../gx/indexnew.gif" 
ALT="[ TABLE OF CONTENTS ]"></A>
<A HREF="../index.html"><IMG ALIGN=BOTTOM SRC="../gx/homenew.gif"
ALT="[ FRONT PAGE ]"></A>
<A HREF="./lg_answer20.html"><IMG SRC="../gx/back2.gif"
ALT=" Back "></A>
<A HREF="./breakin.html"><IMG SRC="../gx/fwd.gif" ALT=" Next "></A>
<P> <hr> <P> 
<!--startcut ==========================================================-->
</BODY>
</HTML>
<!--endcut ============================================================-->