On Sun, Aug 07, 2011 at 04:51:39PM +0000, David Holland wrote: > On Sun, Aug 07, 2011 at 12:11:49PM -0400, Mouse wrote: > > However, since there's no way to make rmdir(2) use NOFOLLOW, we > > have to either leave directory structure in place or risk removing an > > attacker's choice of empty directories. > ? > > valkyrie% ls -l > total 4 > drwx------ 2 dholland notmp 512 Aug 7 12:32 bar > lrwx------ 1 dholland notmp 3 Aug 7 12:32 baz -> bar > valkyrie% rmdir baz > rmdir: baz: Not a directory > Exit 1
My guess for steps to create the problem is: % mkdir /tmp/foo/bar % make-lots-of-files-in-dir /tmp/foo/bar % run-job-that-slows-down-the-system % wait-for-tmp-cleanup-to-start % mv /tmp/foo /tmp/foo2 % ln -s /some/path /tmp/foo ... and the tmp cleanup does a "rmdir /tmp/foo/bar", which is actually /some/path/bar instead. eric
