Re: find | xargs command in /etc/cron.daily/standard

To: Keith Harbaugh <harbaugh@math.georgetown.edu>
Cc: debian-security@lists.debian.org
Subject: Re: find | xargs command in /etc/cron.daily/standard
From: Ian Alderman <ian@lightlink.com>
Date: Wed, 20 Oct 1999 22:31:58 -0400
Message-id: <[🔎] m11e8xQ-0005jHC@cb773100-a.mdsn1.wi.home.com>
In-reply-to: Your message of "Wed, 20 Oct 1999 02:42:43 -0000." <[🔎] 19991020024243.A904@euler.math.georgetown.edu>

Sorry about the ugly URLs below.

This security vulnerability is described in these bugtraq messages:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=199605211710.NAA25637@myrus.com
http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-10-15&msg=Pine.LNX.3.91.960530175349.32040C-100000@students.si.fct.unl.pt

The whole thread is available here:
http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-10-15&thread=199605211710.NAA25637@myrus.com

Or, do a search on www.securityfocus.com for the terms: xargs rm find.

Hope this helps,

-Ian

>In Debian 2.1 (slink) the file /etc/cron.daily/standard (package cron)
>contains the following code:
>
>--------------------- begin included code ----------------------
>
># /etc/cron.daily/standard: standard daily maintenance script
># Written by Ian A. Murdock <imurdock@gnu.ai.mit.edu>
># Modified by Ian Jackson <ijackson@nyx.cs.du.edu>
># Modified by Steve Greenland <stevegr@master.debian.org>
>
>bak=/var/backups
>
># The following three find commands are commented out do to the
># severe, easily exploited security hole introduced by 'find . _stuff_
># | xargs rm' style commands. Changing it to '-exec rm {}' doesn't
># help.
>
># if [ -d /tmp -a ! -L /tmp ] && cd /tmp
># then
># 	find . -type f -atime +3 -print0 | xargs -r0 rm -f --
># 	find . ! -name . -type d -mtime +1 -print0 | xargs -r0 rmdir -- >/dev/null 2>&1
># fi
>
># if [ -d /var/tmp -a ! -L /var/tmp ] && cd /var/tmp
># then
># 	find . -type f -atime +7 -print0 | xargs -r0 rm -f --
># 	find . ! -name . -type d -mtime +1 -print0 | xargs -r0 rmdir -- >/dev/null 2>&1
># fi
>
>#if cd /var/spool/cron/crontabs
>#then
>#	find . -name 'tmp.[0-9]*' -mtime +2 -print0 | xargs -r0 rm -f --
>#fi
>
>----------------------- end included code ------------------------
>
>The rejected construction
>	find . _stuff_ | xargs rm
>seems very similar to the example given in the find info manual,
>Chapter [Common Tasks], Section [Cleaning Up]:
>	find . -name '.#*' -print0 | xargs -0r rm -f
>
>Can someone supply a reference to where the  "severe, easily exploited
>security hole" is defined/justified/explained?
>
>And would it be possible to place that reference as a comment
>right in the cron file?
>
>The changelog for slink's cron package contains three occurrences of `find',
>but none of them seem to involve this problem.
>
>The reason I think this should be justified is that, lacking that justification,
>many people will, naturally, continue using this construction in their
>own personal scripts, as it is such a standard example.
>
>Keith
>
>PS: Pardon the duplicate message. I forgot to add the Subject the first time!
>    Please delete the 'Unidentified subject' message.
>
>
>--  
>To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
>with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- find | xargs command in /etc/cron.daily/standard
  - From: Keith Harbaugh <harbaugh@math.georgetown.edu>

Prev by Date: Re: Proftpd
Next by Date: OpenSSH
Previous by thread: find | xargs command in /etc/cron.daily/standard
Next by thread: Proftpd
Index(es):
- Date
- Thread