/etc/crontab.daily and the security hole in find | xargs

To: debian-user@lists.debian.org
Subject: /etc/crontab.daily and the security hole in find | xargs
From: Jan Vroonhof <vroonhof@math.ethz.ch>
Date: 07 Aug 1997 15:48:25 +0200
Message-id: <[🔎] byn2muayty.fsf@midget.math.ethz.ch>

[Sorry if this question has been adressed a zillion times but the
search function of the archive seems broken]

[Sorry again: I am reading this list through the web-archives and
august hasn't appeared yet. Could you CC me]

First of all let me thank everybody who has worked on Debian 1.3.1 for
all their efforts. It is greatly appreciated. (Using a distribution
does make one feel as if somebody else has tinkered with your system
though :-)).

I was checking out the files in /etc/crontab.daily and there it says
above the standard
 find <old tmp files> | xargs rm
lines something to the effect of "These lines commented out because of
the obvious security hole".

What security hole?

The only one I think I can see would be that xargs actually passes
it's command line to the shell without properly escaping the filenames
it puts in.

Regardless of the nature of the hole: Is this fixed somehwere? The above
"hole" would be fixed by making xargs call rm directly I think.

Thanks again,

Jan



--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

Follow-Ups:
- Re: /etc/crontab.daily and the security hole in find | xargs
  - From: "Scott K. Ellis" <storm@gate.net>

Prev by Date: Re: What is CD 2?
Next by Date: Re: color in console (was: Colored ls output)
Previous by thread: kernel errors under Linux pre-patch-2.0.31-3
Next by thread: Re: /etc/crontab.daily and the security hole in find | xargs
Index(es):
- Date
- Thread