find | xargs command in /etc/cron.daily/standard

To: debian-security@lists.debian.org
Subject: find | xargs command in /etc/cron.daily/standard
From: Keith Harbaugh <harbaugh@math.georgetown.edu>
Date: Wed, 20 Oct 1999 02:42:43 +0000
Message-id: <[🔎] 19991020024243.A904@euler.math.georgetown.edu>

In Debian 2.1 (slink) the file /etc/cron.daily/standard (package cron)
contains the following code:

--------------------- begin included code ----------------------

# /etc/cron.daily/standard: standard daily maintenance script
# Written by Ian A. Murdock <imurdock@gnu.ai.mit.edu>
# Modified by Ian Jackson <ijackson@nyx.cs.du.edu>
# Modified by Steve Greenland <stevegr@master.debian.org>

bak=/var/backups

# The following three find commands are commented out do to the
# severe, easily exploited security hole introduced by 'find . _stuff_
# | xargs rm' style commands. Changing it to '-exec rm {}' doesn't
# help.

# if [ -d /tmp -a ! -L /tmp ] && cd /tmp
# then
# 	find . -type f -atime +3 -print0 | xargs -r0 rm -f --
# 	find . ! -name . -type d -mtime +1 -print0 | xargs -r0 rmdir -- >/dev/null 2>&1
# fi

# if [ -d /var/tmp -a ! -L /var/tmp ] && cd /var/tmp
# then
# 	find . -type f -atime +7 -print0 | xargs -r0 rm -f --
# 	find . ! -name . -type d -mtime +1 -print0 | xargs -r0 rmdir -- >/dev/null 2>&1
# fi

#if cd /var/spool/cron/crontabs
#then
#	find . -name 'tmp.[0-9]*' -mtime +2 -print0 | xargs -r0 rm -f --
#fi

----------------------- end included code ------------------------

The rejected construction
	find . _stuff_ | xargs rm
seems very similar to the example given in the find info manual,
Chapter [Common Tasks], Section [Cleaning Up]:
	find . -name '.#*' -print0 | xargs -0r rm -f

Can someone supply a reference to where the  "severe, easily exploited
security hole" is defined/justified/explained?

And would it be possible to place that reference as a comment
right in the cron file?

The changelog for slink's cron package contains three occurrences of `find',
but none of them seem to involve this problem.

The reason I think this should be justified is that, lacking that justification,
many people will, naturally, continue using this construction in their
own personal scripts, as it is such a standard example.

Keith

PS: Pardon the duplicate message. I forgot to add the Subject the first time!
    Please delete the 'Unidentified subject' message.

Reply to:

Follow-Ups:
- Re: find | xargs command in /etc/cron.daily/standard
  - From: Ian Alderman <ian@lightlink.com>

Prev by Date: Unidentified subject!
Next by Date: Proftpd
Previous by thread: Unidentified subject!
Next by thread: Re: find | xargs command in /etc/cron.daily/standard
Index(es):
- Date
- Thread