Refactor cleanvar to remove shell expansion vulnerability

If any process creates a directory named "-P" in /var/run or /var/spool/lock it will cause the purgedir function to start to rm -r /. Simplify a lot of complicated shell logic by leveraging find(1). Reviewed by: allanjude MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D13778
2018-02-06 21:35:41 +00:00 · 2018-02-06 21:35:41 +00:00 · 330d62831f
commit 330d62831f
parent 964107031b
1 changed files with 6 additions and 31 deletions
--- a/etc/rc.d/cleanvar
+++ b/etc/rc.d/cleanvar
@ -19,34 +19,6 @@ stop_cmd=":"
 extra_commands="reload"
 reload_cmd="${name}_start"

-purgedir()
-{
-	local dir file
-
-	if [ $# -eq 0 ]; then
-		purgedir .
-	else
-		for dir
-		do
-		(
-			cd "$dir" && for file in .* *
-			do
-				# Skip over logging sockets
-				[ -S "$file" -a "$file" = "log" ] && continue
-				[ -S "$file" -a "$file" = "logpriv" ] && continue
-				[ ."$file" = .. -o ."$file" = ... ] && continue
-				if [ -d "$file" -a ! -L "$file" ]
-				then
-					purgedir "$file"
-				else
-					rm -f -- "$file"
-				fi
-			done
-		)
-		done
-	fi
-}
-
 cleanvar_prestart()
 {
 	# These files must be removed only the first time this script is run
@ -58,14 +30,17 @@ cleanvar_prestart()
 cleanvar_start()
 {
 	if [ -d /var/run -a ! -f /var/run/clean_var ]; then
-		purgedir /var/run
+		# Skip over logging sockets
+		find /var/run \( -type f -or -type s ! -name log -and ! -name logpriv \) -delete
 		>/var/run/clean_var
 	fi
 	if [ -d /var/spool/lock -a ! -f /var/spool/lock/clean_var ]; then
-		purgedir /var/spool/lock
+		find /var/spool/lock -type f -delete
 		>/var/spool/lock/clean_var
 	fi
-	rm -rf /var/spool/uucp/.Temp/*
+	if [ -d /var/spool/uucp/.Temp ]; then
+		find /var/spool/uucp/.Temp -delete
+	fi
 }

 load_rc_config $name