Xref: utzoo comp.unix.shell:598 alt.security:1675
Path: utzoo!attcan!uunet!jarthur!nntp-server.caltech.edu!ggumby!tim
From: tim@ggumby.cs.caltech.edu (Timothy L. Kay)
Newsgroups: comp.unix.shell,alt.security
Subject: Re: Beware xargs security holes
Message-ID: <tim.656101080@ggumby>
Date: 16 Oct 90 18:18:00 GMT
References: <63404@iuvax.cs.indiana.edu> <1990Oct9.172621.13484@cbnews.att.com> <271653D6.1CE8@tct.uucp> <4062:Oct1518:22:1290@kramden.acf.nyu.edu> <3876@awdprime.UUCP>
Sender: news@nntp-server.caltech.edu
Organization: California Institute of Technology, Pasadena
Lines: 30
Nntp-Posting-Host: ggumby.cs.caltech.edu

tif@doorstop.austin.ibm.com (Paul Chamberlain) writes:
>In article brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes:
>>  find / -name '#*' -atime +7 -print | xargs rm
>>lets a malicious user remove every file on the system.

>If I understand, to do this a user would have to create a file
>with a '/' in its name.  Is this possible on some systems?
>The most malicious thing I can do with the above command is
>remove a file that doesn't start with '#' that's in a
>writable directory.

Let me see.  If I create a directory named

	directory\n

and create a file in there called vmunix, then find will spit out
a file

	.../directory\n/vmunix\n

which xargs will see as

	.../directory

and

	/vmunix


Tim