Beware xargs security holes
Timothy L. Kay
tim at ggumby.cs.caltech.edu
Wed Oct 17 04:18:00 AEST 1990
tif at doorstop.austin.ibm.com (Paul Chamberlain) writes:
>In article brnstnd at kramden.acf.nyu.edu (Dan Bernstein) writes:
>> find / -name '#*' -atime +7 -print | xargs rm
>>lets a malicious user remove every file on the system.
>If I understand, to do this a user would have to create a file
>with a '/' in its name. Is this possible on some systems?
>The most malicious thing I can do with the above command is
>remove a file that doesn't start with '#' that's in a
>writable directory.
Let me see. If I create a directory named
directory\n
and create a file in there called vmunix, then find will spit out
a file
.../directory\n/vmunix\n
which xargs will see as
.../directory
and
/vmunix
Tim
More information about the Comp.unix.shell
mailing list