Re: compress old puppet reports

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2011-05-18 at 00:18 +0200, Jan-Frode Myklebust wrote:
> On Tue, May 17, 2011 at 04:35:00PM -0400, seth vidal wrote:
> > 
> > "When changing directories, tmpwatch is very sensitive to possible  race
> >  conditions  and will exit with an error if one is detected. It does not
> >  follow symbolic links in the directories it's cleaning (even if a  symâ
> >  bolic  link  is  given  as  its argument), will not switch filesystems,
> >  skips lost+found directories owned by the root user, and  only  removes
> >        empty directories, regular files, and symbolic links."
> 
> 
> Not sure if this is a documentation or code bug, but this doesn't
> seem true on the two RHEL5/6 systems I just tested.. 
> 
> 
> > > > It guards against symlink attack by anyone who can run something as
> > > > user "puppet" and replace /var/lib/puppet/reports/ with a symlink to
> > > > somewhere else (/).
> > 
> > so in answer to this - no in fact, tmpwatch can't be exploited that way.
> > 
> 
> 	$ rpm -q tmpwatch
> 	tmpwatch-2.9.16-3.el6.x86_64
> 	$ ln -s /etc/ /var/tmp/test
> 	$ /usr/sbin/tmpwatch --mtime 720 --test /var/tmp/test/
> 	removing file /etc/csh.login
> 	removing file /etc/gimp/2.0/unitrc
> 	removing file /etc/gimp/2.0/sessionrc
> 	removing file /etc/gimp/2.0/controllerrc
> 	removing file /etc/gimp/2.0/menurc
> 	removing file /etc/gimp/2.0/gimprc
> 	removing file /etc/gimp/2.0/gtkrc
> 	<snip>
> 
> 	

then that is a code bug b/c it is specifically docummented as NOT doing
that.

-sv


_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure



[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux