Re: du wildcards interpretation security flaw

[Bob Proulx]

> I ve got a file in my home directory, that begins with a "-".  See
> the output of du -sh * below. Maybe tomeone could place some nasty
> files in temp, and whet root does a du, then...

Please check out the faq on filenames that start with a dash.

  
http://www.gnu.org/software/fileutils/doc/faq/#How%20do%20I%20remove%20files%20that%20start%20with%20a%20'-'%20such%20as%20'-i'%3f

> io-ii:/data/sort/johnny # du -sh *
> du: invalid option -- p
> Try `du --help' for more information.
> io-ii:/data/sort/johnny #
> io-ii:/data/sort/johnny # du -sh -- *
> 400k    -pilot-link.0.9.3.tar.bz2
> [...]

You have found the way to avoid having commands see filenames as
options.  Also works are 'du -sh ./*' etc.

> The exploit below doesn't work:
> touch \>\ xyz
> io-ii:/tmp/xxxxx # du -sh *
> 0       > xyz
> 0       a
> 0       aa
> 0       aaaa
> Maybe there are some more clever/nasty persons out there, who could
> develop a "better" exploit.

Just because you have a file named "> xyz" does not mean that file
globbing, the expansion of shell metacharacters into filenames, will
execute those names as commands.  Those are filenames and filenames
are NOT executed as shell commands.  There is no exploit here.  Thanks
for trying but you will have to do better.  :-)

Bob