Caldera Security Advisory SA-96.01 March 21, 1996 Topic: File deletion via /etc/crontab entries I. Problem Description The system-wide crontab(5) file, /etc/crontab, contains entries executed by various users including root. Some of these entries are intended to automatically remove old files from publicly writable directories such as /tmp. It has been reported that the default entries in CND 1.0 can be misused by non-privileged users to delete arbitrary files. II. Impact Any file on the system could be potentially deleted by a non-privileged user. III. Solution / Workaround Remove entries that use 'find' on a public directory with '-exec rm -f' as root. It is suggested that the following entries in /etc/crontab should be disabled or removed: ******************************************************************************* # Remove /var/tmp files not accessed in 10 days 43 02 * * * root find /var/tmp/* -atime +3 -exec rm -f {} \; 2> /dev/null # Remove /tmp files not accessed in 10 days 41 02 * * * root find /tmp/* -atime +10 -exec rm -f {} \; 2> /dev/null # Remove formatted man pages not accessed in 10 days 39 02 * * * root find /var/catman/cat?/* -atime +10 -exec rm -f {} \; 2> /dev/n ull # Remove and TeX fonts not used in 10 days 35 02 * * * root find /var/lib/texmf/* -type f -atime +10 -exec rm -f {} \; 2> /dev/null ******************************************************************************* Though not tested by Caldera, the following "file garbage collector" has been suggested as a replacement for the above entries in /etc/crontab: http://www.ultratech.net/~zblaxell/admin_utils/filereaper.txt