bin/104044: [patch] rc.d/cleartmp works incorrectly

[Andrey Simonenko]

>Number:         104044
>Category:       bin
>Synopsis:       [patch] rc.d/cleartmp works incorrectly
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Oct 06 09:40:18 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Andrey Simonenko <simon at comsys.ntu-kpi.kiev.ua>
>Release:        FreeBSD 6.2-PRERELEASE i386
>Organization:
>Environment:
>Description:

The rc.d/cleartmp script does not remove lost+found, quota.user and
quota.group files in the /tmp directory.  Anyone who has permissions
to write to the /tmp directory can create files or directories with
names lost+found, quota.user or quota.group and cleartmp will not
remove them.

>How-To-Repeat:

Set clear_tmp_enable="YES" in /tmp

% dd if=/dev/zero of=/tmp/quota.user count=10
# /etc/rc.d/cleartmp start
# cd /tmp ; ls -l

>Fix:

What the modified version of cleartmp does:

If clear_tmp_enable="YES", then

1.	Remove as much as possible of files and directories in /tmp using
	rm (in the original version shell patterns are incomplete).

2.	Remove the rest of files in /tmp using find.  Check that lost+found
	is a directory with the owner root.  Check that quota.user and
	quota.group are regular files with the owner root.

3.	If clear_tmp_X="YES", then create X related directories in /tmp
	(in the original version steps 2 and 3 are run in reverse order,
	as the result expressions for find are more complex).

If clear_tmp_enable="NO" and clear_tmp_X="YES", then

1.	Remove X related files and directories.

2.	Create X related directories.

--- cleartmp.orig	Mon Apr 10 16:10:30 2006
+++ cleartmp	Fri Oct  6 11:55:35 2006
@@ -14,43 +14,50 @@
 
 start_cmd="${name}_start"
 
-cleartmp_prestart()
-{
-	checkyesno clear_tmp_X || return
-
-	local x11_socket_dirs="/tmp/.X11-unix /tmp/.ICE-unix /tmp/.font-unix \
-	    /tmp/.XIM-unix"
+x11_socket_dirs="/tmp/.X11-unix /tmp/.ICE-unix /tmp/.font-unix /tmp/.XIM-unix"
 
-	# Remove X lock files, since they will prevent you from restarting X.
-	rm -f /tmp/.X[0-9]-lock
-
-	# Create socket directories with correct permissions to avoid
-	# security problem.
-	#
-	rm -fr ${x11_socket_dirs}
+createtmp_X()
+{
+	# Create X socket directories with correct permissions.
 	mkdir -m 1777 ${x11_socket_dirs}
 }
 
+cleartmp_X()
+{
+	# Remove X lock files, since they will prevent you from restarting X,
+	# and remove other X related directories.
+	rm -fr /tmp/.X[0-9]-lock ${x11_socket_dirs}
+}
+
 cleartmp_start()
 {
 	echo "Clearing /tmp."
-	#
-	#	Prune quickly with one rm, then use find to clean up
-	#	/tmp/[lq]* (this is not needed with mfs /tmp, but
-	#	doesn't hurt anything).
-	#
-	(cd /tmp && rm -rf [a-km-pr-zA-Z]* &&
-	    find -x . ! -name . ! -name lost+found ! -name quota.user \
-		! -name quota.group ! -name .X11-unix ! -name .ICE-unix \
-		! -name .font-unix ! -name .XIM-unix \
+
+	# Try to remove files with rm, then use find to clean up the rest
+	# of files, including those, which do not fit in command line
+	# (this is not needed with mfs /tmp, but doesn't hurt anything).
+	(cd /tmp && rm -rf .[!.] .??* [!lq]* &&
+	    find -x . ! -name . \
+		! \( -name lost+found -type d -user root \) \
+		! \( \( -name quota.user -or -name quota.group \) \
+			-type f -user root \) \
 		-exec rm -rf -- {} \; -type d -prune)
+	if checkyesno clear_tmp_X; then
+		createtmp_X
+	fi
 }
 
 load_rc_config $name
 
 # The clear_tmp_X variable should be tested even if clear_tmp_enable is NO
 case "$1" in
-*start)	cleartmp_prestart ;;
+*start)
+	if ! checkyesno ${rcvar} && checkyesno clear_tmp_X; then
+		echo "Clearing /tmp (X related)."
+		cleartmp_X
+		createtmp_X
+	fi
+	;;
 esac
 
 run_rc_command "$1"
>Release-Note:
>Audit-Trail:
>Unformatted: