Next: , Previous: Security Considerations for find, Up: Security Considerations



8.3 Security Considerations for xargs

The description of the race conditions affecting the -print action of find shows that xargs cannot be secure if it is possible for an attacker to modify a filesystem after find has started but before xargs has completed all its actions.

However, there are other security issues that exist even if it is not possible for an attacker to have access to the filesystem in real time. Firstly, if it is possible for an attacker to create files with names of their own choice on the filesystem, then xargs is insecure unless the -0 option is used. If a file with the name /home/someuser/foo/bar\n/etc/passwd exists (assume that \n stands for a newline character), then find ... -print can be persuaded to print three separate lines:

     /home/someuser/foo/bar
     
     /etc/passwd

If it finds a blank line in the input, xargs will ignore it. Therefore, if some action is to be taken on the basis of this list of files, the /etc/passwd file would be included even if this was not the intent of the person running find. There are circumstances in which an attacker can use this to their advantage. The same consideration applies to filenames containing ordinary spaces rather than newlines, except that of course the list of filenames will no longer contain an “extra” newline.

This problem is an unavoidable consequence of the default behaviour of the xargs command, which is specified by the POSIX standard. The only ways to avoid this problem are either to avoid all use of xargs in favour for example of find -exec or (where available) find -execdir, or to use the -0 option, which ensures that xargs considers filenames to be separated by ASCII NUL characters rather than whitespace. However, useful though this option is, the POSIX standard does not make it mandatory.