Next: Security Considerations for locate, Previous: Security Considerations for find, Up: Security Considerations
xargsThe description of the race conditions affecting the -print
action of find shows that xargs cannot be secure if it
is possible for an attacker to modify a filesystem after find
has started but before xargs has completed all its actions.
However, there are other security issues that exist even if it is not
possible for an attacker to have access to the filesystem in real
time. Firstly, if it is possible for an attacker to create files with
names of their own choice on the filesystem, then xargs is
insecure unless the -0 option is used. If a file with the name
/home/someuser/foo/bar\n/etc/passwd exists (assume that
\n stands for a newline character), then find ... -print
can be persuaded to print three separate lines:
/home/someuser/foo/bar
/etc/passwd
If it finds a blank line in the input, xargs will ignore it.
Therefore, if some action is to be taken on the basis of this list of
files, the /etc/passwd file would be included even if this was
not the intent of the person running find. There are circumstances in
which an attacker can use this to their advantage. The same
consideration applies to filenames containing ordinary spaces rather
than newlines, except that of course the list of filenames will no
longer contain an “extra” newline.
This problem is an unavoidable consequence of the default behaviour of
the xargs command, which is specified by the POSIX standard.
The only ways to avoid this problem are either to avoid all use of
xargs in favour for example of find -exec or (where
available) find -execdir, or to use the -0 option, which
ensures that xargs considers filenames to be separated by ASCII
NUL characters rather than whitespace. However, useful though this
option is, the POSIX standard does not make it mandatory.