Beware xargs security holes
Paul Chamberlain
tif at doorstop.austin.ibm.com
Fri Oct 19 23:40:36 AEST 1990
In article <tim.656101080 at ggumby> tim at ggumby.cs.caltech.edu (Timothy L. Kay) writes:
>tif at doorstop.austin.ibm.com (Paul Chamberlain) writes:
>>In article brnstnd at kramden.acf.nyu.edu (Dan Bernstein) writes:
>>> find / -name '#*' -atime +7 -print | xargs rm
>>>lets a malicious user remove every file on the system.
>>
>>The most malicious thing I can do with the above command is
>>remove a file that doesn't start with '#' that's in a
>>writable directory.
>
>Let me see. If I create a directory [and file] named
> .../directory\n/vmunix
Okay, I've had this explained to me and I admit that this
could be a problem. But I think it is contrived because
the "find" command to pass this filename to xargs either
doesn't check the name or allows "vmunix" to match it.
I suppose I could create the above and then convince the
administrator to do "find /u/tif -print | xargs chown tif".
But, then again, wouldn't "ln /etc/passwd /u/tif/my_file"
be easier.
In any case, I've yet to see how "a malicious user [could]
remove every file on the system."
Paul Chamberlain | I do NOT represent IBM. tif at doorstop, sc30661 at ausvm6
512/838-7008 | ...!cs.utexas.edu!ibmaus!auschs!doorstop.austin.ibm.com!tif
More information about the Comp.unix.shell
mailing list