Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!udel!princeton!phoenix!subbarao From: subbarao@phoenix.Princeton.EDU (Kartik Subbarao) Newsgroups: comp.unix.shell Subject: Re: Beware xargs security holes Message-ID: <3421@idunno.Princeton.EDU> Date: 18 Oct 90 01:17:26 GMT References: <3876@awdprime.UUCP> <13569:Oct1617:00:0590@kramden.acf.nyu.edu> <3369@idunno.Princeton.EDU> Sender: news@idunno.Princeton.EDU Lines: 65 In article <3369@idunno.Princeton.EDU> pfalstad@stone.Princeton.EDU (Paul John Falstad) writes: >In article <13569:Oct1617:00:0590@kramden.acf.nyu.edu> brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes: >>In article <3876@awdprime.UUCP> tif@doorstop.austin.ibm.com (Paul Chamberlain) writes: >>> In article <4062:Oct1518:22:1290@kramden.acf.nyu.edu> brnstnd@kramden.acf.nyu.edu (Dan Bernstein) writes: >>> > find / -name '#*' -atime +7 -print | xargs rm >>> The most malicious thing I can do with the above command is >>> remove a file that doesn't start with '#' that's in a >>> writable directory. >>Incorrect. If that command is run daily from cron, as it is on many >>systems, then any user can remove any file on the system. > >Oh, I see. You could do something like this: >And then cron would delete /vmunix. That's assuming cron starts up xargs >with / as its current directory. >And to delete other files (not necessarily in /), you could do: > >$ mkdir '# >' >$ cd '# >' >$ mkdir u; mkdir u/subbarao >$ mkdir u/subbarao/.plan' >' >$ date >u/subbarao/.plan' >/#foo' > Yow! nah, we'd never wan't to do that, now would we? Then I'd have no goal in life?! :-) >If you do a find . -name '#*' -print | xargs echo in this directory, you get: > >./# ./# /u/subbarao/.plan /#foo ./# vmunix > >Very nasty. Wonder if it works on my system... No, good thing it doesn't. Especially after I'd want to put a pipe as my .plan to execute a command ;-). Gee, it's also a good thing there are no shell escapes in rm. I can just see the thread now: "Beware : Re: how to prevent shell escapes from rm". And then Dan would give his wonderful pty solution (not that pty isn't wonderful!), Larry Wall and Randall Schwartz would probably find a nice one line perl hack, some other sysadmin would complain about the openness of the discussion, another would cry "security through obscurity", and the wizards would go back and forth about this. comp.unix.* can be so funny at times :-) >Paul Falstad, pfalstad@phoenix.princeton.edu PLink:HYPNOS GEnie:P.FALSTAD >"And she's always on about men following her. I don't know what she >thinks they're going to do to her. Vomit on her, Basil, says."-Flowery Twats Good thing Paul only removed my .plan, so I can say: (I need a new .signature -- any suggestions?) subbarao@{phoenix or gauguin}.Princeton.EDU -|Internet kartik@silvertone.Princeton.EDU (NeXT mail) -| SUBBARAO@PUCC.BITNET - Bitnet