Sorry about the ugly URLs below. This security vulnerability is described in these bugtraq messages: http://www.securityfocus.com/templates/archive.pike?list=1&[EMAIL PROTECTED] http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-10-15&[EMAIL PROTECTED]
The whole thread is available here: http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-10-15&[EMAIL PROTECTED] Or, do a search on www.securityfocus.com for the terms: xargs rm find. Hope this helps, -Ian >In Debian 2.1 (slink) the file /etc/cron.daily/standard (package cron) >contains the following code: > >--------------------- begin included code ---------------------- > ># /etc/cron.daily/standard: standard daily maintenance script ># Written by Ian A. Murdock <[EMAIL PROTECTED]> ># Modified by Ian Jackson <[EMAIL PROTECTED]> ># Modified by Steve Greenland <[EMAIL PROTECTED]> > >bak=/var/backups > ># The following three find commands are commented out do to the ># severe, easily exploited security hole introduced by 'find . _stuff_ ># | xargs rm' style commands. Changing it to '-exec rm {}' doesn't ># help. > ># if [ -d /tmp -a ! -L /tmp ] && cd /tmp ># then ># find . -type f -atime +3 -print0 | xargs -r0 rm -f -- ># find . ! -name . -type d -mtime +1 -print0 | xargs -r0 rmdir -- >>/dev/null 2>&1 ># fi > ># if [ -d /var/tmp -a ! -L /var/tmp ] && cd /var/tmp ># then ># find . -type f -atime +7 -print0 | xargs -r0 rm -f -- ># find . ! -name . -type d -mtime +1 -print0 | xargs -r0 rmdir -- >>/dev/null 2>&1 ># fi > >#if cd /var/spool/cron/crontabs >#then ># find . -name 'tmp.[0-9]*' -mtime +2 -print0 | xargs -r0 rm -f -- >#fi > >----------------------- end included code ------------------------ > >The rejected construction > find . _stuff_ | xargs rm >seems very similar to the example given in the find info manual, >Chapter [Common Tasks], Section [Cleaning Up]: > find . -name '.#*' -print0 | xargs -0r rm -f > >Can someone supply a reference to where the "severe, easily exploited >security hole" is defined/justified/explained? > >And would it be possible to place that reference as a comment >right in the cron file? > >The changelog for slink's cron package contains three occurrences of `find', >but none of them seem to involve this problem. > >The reason I think this should be justified is that, lacking that >justification, >many people will, naturally, continue using this construction in their >own personal scripts, as it is such a standard example. > >Keith > >PS: Pardon the duplicate message. I forgot to add the Subject the first time! > Please delete the 'Unidentified subject' message. > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
