[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
du wildcards interpretation security flaw
From: |
Hans-Christian Armingeon |
Subject: |
du wildcards interpretation security flaw |
Date: |
Thu, 28 Feb 2002 17:53:13 +0100 |
Hi,
I ve got a file in my home directory, that begins with a "-".
See the output of du -sh * below. Maybe tomeone could place some nasty files in
temp, and whet root does a du, then...
io-ii:/data/sort/johnny # du -sh *
du: invalid option -- p
Try `du --help' for more information.
io-ii:/data/sort/johnny #
io-ii:/data/sort/johnny # du -sh -- *
400k -pilot-link.0.9.3.tar.bz2
[...]
The exploit below doesn't work:
touch \>\ xyz
io-ii:/tmp/xxxxx # du -sh *
0 > xyz
0 a
0 aa
0 aaaa
Maybe there are some more clever/nasty persons out there, who could develop a
"better" exploit.
I don't think that root appends -- to every command he types in
Don't hesitate to contact me.
Thanks in advance, and thank you for developing the GNU utils,
Johnny
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- du wildcards interpretation security flaw,
Hans-Christian Armingeon <=