Beware xargs security holes
Dan Bernstein
brnstnd at kramden.acf.nyu.edu
Tue Oct 30 09:24:59 AEST 1990
In article <john.657158675 at troch> john at sco.COM (John R. MacMillan) writes:
> |find / -name '#*' -print | egrep -v '.*/#[^/]*' | xargs rm -f --
No! Think about links.
> So now that we can all safely and automatically remove files I think
> we should kill this thread before I embarass myself further.
Perhaps people should think about their supposed solutions before
posting them. Not to flame, but you're the eighth person to post an
insecure pipeline in this thread.
Folks, just don't use find | xargs as root until it has -0 to parse
nulls and find has -print0 to match. You'll sleep better at night using
-exec rm than somebody's supposedly secure pipeline from hell.
---Dan
More information about the Comp.unix.shell
mailing list