Hi,
it is possible to cheat a running "rm -r" into deleting any file
that the process owner has.
"rm -r" walks the directory structure, chdirs into directories,
and deletes non-directories. In order to determine whether an
entry is a directory, it uses lstat. The sequence lstat+chdir
inheritly has a race condition, i.e., a attacker can change
a directory to a symbolic link between the lstat and the chdir.
Suggested solution: rm should stat "." after the chdir to verify
that it ended up where it wanted. The overhead should be minimal.
(Doing a stat on ".." is possible too, but not nearly as good
since it cannot distinguish between subdirectories.)
I imagine that "chmod -R" and friends have the same problem.
Morten
