rm/shred -u setuid files

[Ville Herva]

[Please Cc me]

Scenario (this was recently brought up on linux kernel mailing list):

You have a setuid root file (say, /usr/bin/chsh). 
Some one creates a hard link to it (ln /usr/bin/chsh ~/bin/secret). 
You find out there is a security hole in the chsh binary and remove it while
waiting for the security patch.

One can easily miss the fact that there was more than one link to the inode.

This isn't probably new to seasoned unix admins, but I do believe it is news
for many new linux/unix users.

Proper way (I believe) is to first chmod 0 the file, then unlink it. This
perhaps doesn't address the fact that someone can have open()'ed the file
and hold and open fd to it. (I'm not sure what could be done with the open
fd, though, other than waste other people's quota). 

So chmod 0; shred -u; rm is probably what paranoid people do.

The hardlinks also allow for wasting other people's quota, as you cannot
remove hardlinks from directories you don't own. Truncate first will help
here.

I think it could be worth it to add this trivia to the rm/shred man pages -
perhaps even a warning to rm -v when removing a setuid file leaves the link
count as non-zero. Or a switch to rm that does chmod 0; truncate; unlink.


--
"Olet sietämätön tyyppi
  Ja mielipiteesi ovat vääriä
   Älä soita tänne enää koskaan!" - Ultra Bra