Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!wuarchive!psuvax1!hsdndev!cmcl2!kramden.acf.nyu.edu!brnstnd
From: brnstnd@kramden.acf.nyu.edu (Dan Bernstein)
Newsgroups: comp.unix.admin
Subject: Re: Help - we lost all our files!
Message-ID: <4092.Jun2903.50.5391@kramden.acf.nyu.edu>
Date: 29 Jun 91 03:50:53 GMT
References: <1347@escob1.UUCP>
Organization: IR
Lines: 27

In article <1347@escob1.UUCP> dickson@escob1.UUCP (Dave Dickson) writes:
  [ lost all files, except those of certain running executables ]
> We are reasonably certain that this was not an intruder or other
> nefarious critter, as we have a reasonably secure system (I, know,
> famous last words).
  [ ... ]
> 45 3 * * * find /tmp/* /usr/tmp/* -mtime +1 -print | xargs rm -r

ln -s / /tmp/foo would achieve this effect, provided that your find
chdir()ed to the directories rather than lstat()ing them, and provided
that this is on a BSD system. Or putting the proper set of files with
embedded newlines into /tmp. Or an NFS error and some shoddy error
checking.

A much more secure version would be

   find /tmp /usr/tmp -mtime +1 -print0 | xargs -0 rm -f

provided that your find has -print0 (meaning use null rather than
newline to separate names) and your xargs has -0 (meaning accept names
terminated by null, and don't do any parsing at all). I've been yelling
at vendors for years to add these options...

An even better strategy is to give users a ``tmphogs'' command which
shows the top ten /tmp users if the disk is over 90% full.

---Dan