The description of the race conditions affecting the ‘-print’
find shows that
xargs cannot be secure if it
is possible for an attacker to modify a filesystem after
has started but before
xargs has completed all its actions.
However, there are other security issues that exist even if it is not
possible for an attacker to have access to the filesystem in real
time. Firstly, if it is possible for an attacker to create files with
names of their choice on the filesystem, then
insecure unless the ‘-0’ option is used. If a file with the name
/home/someuser/foo/bar\n/etc/passwd exists (assume that
‘\n’ stands for a newline character), then
find … -print
can be persuaded to print three separate lines:
If it finds a blank line in the input,
xargs will ignore it.
Therefore, if some action is to be taken on the basis of this list of
files, the /etc/passwd file would be included even if this was
not the intent of the person running find. There are circumstances in
which an attacker can use this to their advantage. The same
consideration applies to file names containing ordinary spaces rather
than newlines, except that of course the list of file names will no
longer contain an “extra” newline.
This problem is an unavoidable consequence of the default behaviour of
xargs command, which is specified by the POSIX standard.
The only ways to avoid this problem are either to avoid all use of
xargs in favour for example of ‘find -exec’ or (where
available) ‘find -execdir’, or to use the ‘-0’ option, which
xargs considers file names to be separated by
ASCII NUL characters rather than whitespace. However, useful as this
option is, the POSIX standard does not make it mandatory.
POSIX also specifies that
xargs interprets quoting and trailing
whitespace specially in filenames, too. This means that using
find ... -print | xargs ... can cause the commands run by
xargs to receive a list of file names which is not the same as
the list printed by
find. The interpretation of quotes and
trailing whitespace is turned off by the ‘-0’ argument to
xargs, which is another reason to use that option.