[Kolab-devel] [issue4009] kolab_bootstrap contains dangerous code, could remove whole filesystem....

[Richard Bos]

New submission from Richard Bos <ml at radoeka.nl>:

There is some dangerous code in kolab_bootstrap, that might remove a whole
filesystem....

kolab_bootstrap contains:
296   print "Cleaning up LDAP\n";
297   system("cd \"$Kolab::config{'ldapserver_dir'}\"; rm -f *");

In case the change directory to the $Kolab::config{'ldapserver_dir'} does not
succeed, or the variable is not defined correctly, things may go quite wrong
(in case one is unlucky).

In the example below I replaced "rm -f *", with "echo rm -f *".  The code is
now:
299   print "Cleaning up LDAP\n";
300   $Kolab::config{'ldapserver_dir'} = "/var/lib/lldap";
301   print "ldapserver_dir = ".$Kolab::config{'ldapserver_dir'}."\n";
302   system("pwd; cd \"$Kolab::config{'ldapserver_dir'}\"; pwd; echo rm -f
*");

When executing this:
# cd /
# /usr/sbin/kolab_bootstrap -b

The result is:
.......
Cleaning up LDAP
ldapserver_dir = /var/lib/lldap
/
sh: line 0: cd: /var/lib/lldap: No such file or directory
/
rm -f bin boot dev etc home lib lost+found media mnt opt proc root sbin selinux
srv sys tmp usr var

Without echo, I would be crying now!

----------
messages: 22967
nosy: mathieu.parent, rbos, thomas, wilde, wrobel
priority: bug
status: unread
title: kolab_bootstrap contains dangerous code, could remove whole filesystem....

______________________________________
Kolab issue tracker <issues at kolab.org>
<https://issues.kolab.org/issue4009>
______________________________________