Morten Welinder <[EMAIL PROTECTED]> writes:
| it is possible to cheat a running "rm -r" into deleting any file
| that the process owner has.
|
| "rm -r" walks the directory structure, chdirs into directories,
| and deletes non-directories. In order to determine whether an
| entry is a directory, it uses lstat. The sequence lstat+chdir
| inheritly has a race condition, i.e., a attacker can change
| a directory to a symbolic link between the lstat and the chdir.
|
| Suggested solution: rm should stat "." after the chdir to verify
| that it ended up where it wanted. The overhead should be minimal.
| (Doing a stat on ".." is possible too, but not nearly as good
| since it cannot distinguish between subdirectories.)
Thanks a lot.
I've just fixed that for the latest test release:
ftp://alpha.gnu.org/gnu/fetish/fileutils-4.0s.tar.gz
| I imagine that "chmod -R" and friends have the same problem.
I'll look into it.
