What is the security hole in find -exec rm -- {} \; ?
Sorry if this is a FAQ, but;
in the debian cron package (3.0pl1-45 is the one I'm looking at),
/etc/cron.daily/standard says:
# The following three find commands are commented out do to the
# severe, easily exploited security hole introduced by 'find . _stuff_
# | xargs rm' style commands. Changing it to '-exec rm {}' doesn't
# help.
# if [ -d /tmp -a ! -L /tmp ] && cd /tmp
# then
# find . -type f -atime +3 -print0 | xargs -r0 rm -f --
# find . ! -name . -type d -mtime +1 -print0 | xargs -r0 rmdir -- >
/dev/nu
ll 2>&1
# fi
I've always assumed this was due to problems with filenames of the type
"foo ; some-evil-command", but the following does appear to work:
find . -type f -atime +3 -exec rm -f {} ';'
(e.g;
cr212@dura:/tmp/test/copy$ ls -l
total 0
-rw-r--r-- 1 cr212 chris 0 Sep 2 20:10 -some-nasty-option
-rw-r--r-- 1 cr212 chris 0 Sep 2 20:10 foo ; whoami
cr212@dura:/tmp/test/copy$ find . -type f -exec rm -f {} ';'
cr212@dura:/tmp/test/copy$ ls -l
total 0
the whoami command is never executed)
If there is still some security hole, then what is it? And is
/etc/rcS.d/S55bootmisc.sh (from sysvinit) not at risk from the same
problems?
-- Christopher Reed, Selwyn College, Cambridge --
E-Mail: cr212@cam.ac.uk WWW: http://dura.sel.cam.ac.uk/ [~cr212/]
r2 T1 cSEL dCS hEn/Chi A4 S+ C*$+++L/UdP W+++ y# a VTsj (Cantab) 1.0
"Don't throw your hand."
Reply to: