Xref: utzoo comp.unix.shell:764 alt.security:1710
Path: utzoo!utgpu!cs.utexas.edu!sdd.hp.com!wuarchive!udel!haven!adm!cmcl2!kramden.acf.nyu.edu!brnstnd
From: brnstnd@kramden.acf.nyu.edu (Dan Bernstein)
Newsgroups: comp.unix.shell,alt.security
Subject: Re: Beware xargs security holes
Summary: do not do this
Message-ID: <13090:Oct2922:24:5990@kramden.acf.nyu.edu>
Date: 29 Oct 90 22:24:59 GMT
References: <john.656921455@troch> <649@inews.intel.com> <john.657158675@troch>
Organization: IR
Lines: 17

In article <john.657158675@troch> john@sco.COM (John R. MacMillan) writes:
> |find / -name '#*' -print | egrep -v '.*/#[^/]*' | xargs rm -f --

No! Think about links.

> So now that we can all safely and automatically remove files I think
> we should kill this thread before I embarass myself further.

Perhaps people should think about their supposed solutions before
posting them. Not to flame, but you're the eighth person to post an
insecure pipeline in this thread.

Folks, just don't use find | xargs as root until it has -0 to parse
nulls and find has -print0 to match. You'll sleep better at night using
-exec rm than somebody's supposedly secure pipeline from hell.

---Dan