Subject: Re: File names and security...
To: None <current-users@NetBSD.ORG>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: current-users
Date: 06/12/1997 08:19:37
> If 'xargs' is currently so broken that it runs the command thru
> 'sh -c' first or something, then we deserve to be bitten by this.

No, it doesn't; but you've misunderstood the problem.

> ...which means that "rm" gets called with, say "foo; chmod 666 /etc/passwd"
> or "foo\nchmod 666 /etc/passwd" (s/passwd/master.&/g) which would
> properly produce [an error]

The problem isn't embedding commands.  The problem is, if someone has
(say) a file /tmp/foo\n/etc/master.passwd (which is trivial to create,
if that oddly-named directory doesn't already exist), and root runs

# find /tmp/. -.... -print | xargs rm

then xargs will take the \n in the filename as an argument-separating
newline and cheerfully nuke /etc/master.passwd.

Of course, making it

# find /tmp/. -.... -print0 | xargs -0 rm

will cure this...but those are nonstandard.  (I have never been able to
figure out what POSIX xargs is supposed to be good for; it not only has
this problem but also does a lot more parsing on its input, making it
essentially useless for the stuff it normally gets used for.  A
_useful_ xargs is so trivial to write that I see no excuse for not
always having one on hand.  (I will happily mail mine to anyone who
mails me privately asking for it.))

					der Mouse

		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B