Beware xargs security holes

Kartik Subbarao subbarao at phoenix.Princeton.EDU
Thu Oct 18 11:17:26 AEST 1990 

In article <3369 at idunno.Princeton.EDU> pfalstad at stone.Princeton.EDU (Paul John Falstad) writes:
>In article <13569:Oct1617:00:0590 at kramden.acf.nyu.edu> brnstnd at kramden.acf.nyu.edu (Dan Bernstein) writes:
>>In article <3876 at awdprime.UUCP> tif at doorstop.austin.ibm.com (Paul Chamberlain) writes:
>>> In article <4062:Oct1518:22:1290 at kramden.acf.nyu.edu> brnstnd at kramden.acf.nyu.edu (Dan Bernstein) writes:
>>> >  find / -name '#*' -atime +7 -print | xargs rm
>>> The most malicious thing I can do with the above command is
>>> remove a file that doesn't start with '#' that's in a
>>> writable directory.
>>Incorrect. If that command is run daily from cron, as it is on many
>>systems, then any user can remove any file on the system.
>
>Oh, I see.  You could do something like this:

>And then cron would delete /vmunix.  That's assuming cron starts up xargs
>with / as its current directory.

>And to delete other files (not necessarily in /), you could do:
>
>$ mkdir '#
>'
>$ cd '#
>'
>$ mkdir u; mkdir u/subbarao
>$ mkdir u/subbarao/.plan'
>'
>$ date >u/subbarao/.plan'
>/#foo'
>

Yow! nah, we'd never wan't to do that, now would we? Then I'd have no goal in life?! :-)


>If you do a find . -name '#*' -print | xargs echo in this directory, you get:
>
>./# ./# /u/subbarao/.plan /#foo ./# vmunix
>
>Very nasty.  Wonder if it works on my system...

No, good thing it doesn't. Especially after I'd want to put a pipe as my .plan to execute a command
;-). Gee, it's also a good thing there are no shell escapes in rm. I can just see the thread now:

"Beware : Re: how to prevent shell escapes from rm".

And then Dan would give his wonderful pty solution (not that pty isn't wonderful!),
Larry Wall and Randall Schwartz would probably find a nice one line perl hack,
some other sysadmin would complain about the openness of the discussion, another would cry
"security through obscurity", and the wizards would go back and forth about this.

comp.unix.* can be so funny at times :-)


>Paul Falstad, pfalstad at phoenix.princeton.edu PLink:HYPNOS GEnie:P.FALSTAD
>"And she's always on about men following her.  I don't know what she
>thinks they're going to do to her.  Vomit on her, Basil, says."-Flowery Twats


Good thing Paul only removed my .plan, so I can say:




(I need a new .signature -- any suggestions?)
subbarao@{phoenix or gauguin}.Princeton.EDU -|Internet
kartik at silvertone.Princeton.EDU (NeXT mail)       -|	
SUBBARAO at PUCC.BITNET			          - Bitnet

More information about the Comp.unix.shell mailing list