> It's a security FAQ. If you do rm -rf (or nearly any of the other > obvious/easy alternatives) in a world-writable directory, a hostile > user can interact with it to erase any file on the system.
I believe that this is partially fixable: provided there is at least one file descriptor available per directory level, I think it is possible to safely remove everything but directories. Most briefly, fchdir to each directory, stat . and make sure it matches the directory we thought we chdired into (to avoid doing damage if we lose a symlink race). Then delete things using relative-to-. paths and fchdir back out. However, since there's no way to make rmdir(2) use NOFOLLOW, we have to either leave directory structure in place or risk removing an attacker's choice of empty directories. Not that this makes it any easier to do the usual find | xargs rm style of cleanup, though. To do it safely in the way I refer to above would require doing it all inside rm. Might be worth doing, but quite possibly better done in the filesystem, to (a) avoid the need for the file descriptors, (b) delete a file here and a file there rather than the wholesale destruction of rm -rf (even if I'm right about it being possible to make it safe against hostile users), and (c) get directories right. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B