MFC r328951: Refactor cleanvar to remove shell expansion vulnerability

If any process creates a directory named "-P" in /var/run or
/var/spool/lock it will cause the purgedir function to start to rm -r /.

Simplify a lot of complicated shell logic by leveraging find(1).

1 files changed, 6 insertions, 31 deletions

diff --git a/etc/rc.d/cleanvar b/etc/rc.d/cleanvar
index e60890d..fcfd365 100755
--- a/etc/rc.d/cleanvar
+++ b/etc/rc.d/cleanvar
@@ -19,34 +19,6 @@ stop_cmd=":"
 extra_commands="reload"
 reload_cmd="${name}_start"
 
-purgedir()
-{
-	local dir file
-
-	if [ $# -eq 0 ]; then
-		purgedir .
-	else
-		for dir
-		do
-		(
-			cd "$dir" && for file in .* *
-			do
-				# Skip over logging sockets
-				[ -S "$file" -a "$file" = "log" ] && continue
-				[ -S "$file" -a "$file" = "logpriv" ] && continue
-				[ ."$file" = .. -o ."$file" = ... ] && continue
-				if [ -d "$file" -a ! -L "$file" ]
-				then
-					purgedir "$file"
-				else
-					rm -f -- "$file"
-				fi
-			done
-		)
-		done
-	fi
-}
-
 cleanvar_prestart()
 {
 	# These files must be removed only the first time this script is run
@@ -58,14 +30,17 @@ cleanvar_prestart()
 cleanvar_start()
 {
 	if [ -d /var/run -a ! -f /var/run/clean_var ]; then
-		purgedir /var/run
+		# Skip over logging sockets
+		find /var/run \( -type f -or -type s ! -name log -and ! -name logpriv \) -delete
 		>/var/run/clean_var
 	fi
 	if [ -d /var/spool/lock -a ! -f /var/spool/lock/clean_var ]; then
-		purgedir /var/spool/lock
+		find /var/spool/lock -type f -delete
 		>/var/spool/lock/clean_var
 	fi
-	rm -rf /var/spool/uucp/.Temp/*
+	if [ -d /var/spool/uucp/.Temp ]; then
+		find /var/spool/uucp/.Temp -delete
+	fi
 }
 
 load_rc_config $name