[Scripts 0000324]: Invalid Settings/Scripts/Directories.conf can allow UnionSandbox to wipe out entire disk
Mantis Bug Tracker
bugs at gobolinux.org
Thu Apr 10 17:01:07 NZST 2008
The following issue has been SUBMITTED.
======================================================================
http://bugs.gobolinux.org/view.php?id=324
======================================================================
Reported By: quick
Assigned To:
======================================================================
Project: Scripts
Issue ID: 324
Category:
Reproducibility: always
Severity: major
Priority: normal
Status: new
======================================================================
Date Submitted: 2008-04-09 22:01-0700
Last Modified: 2008-04-09 22:01-0700
======================================================================
Summary: Invalid Settings/Scripts/Directories.conf can allow
UnionSandbox to wipe out entire disk
Description:
In Directories.conf, the root of the temporary union filesystems:
unionSandboxMP and unionSandboxRW, defaulting to /.union_mp and ./union_rw,
respectively.
However, if the user sets these to something that "mktemp" is unable to
utilize (e.g. something as simple as blank or an undefined parent
directory, e.g. "/.union_mp/") then the mktemp operations in UnionSandbox
will report a failure but return empty variable values.
These values are subsequently used in the cleanup() function of that
script. Notably:
rm -rf ${sandbox_mp}/usr
...
rm -rf ${sandbox_rw}
... at which point you need to hard-reboot and hunt down your install CD.
Been there. Done that. :-((
These dangerous commands should be protected. At a minimum, they should
not be performed if the variables in question are blank. A better solution
is probably to add a || Die "bad spec" after the mktemp, ensuring that
cleanup() isn't called during Die.
======================================================================
Issue History
Date Modified Username Field Change
======================================================================
2008-04-09 22:01 quick New Issue
======================================================================
More information about the Gobolinux-bugtracker
mailing list