11.3 Security Considerations for xargs

The description of the race conditions affecting the ‘-print’ action of find shows that xargs cannot be secure if it is possible for an attacker to modify a filesystem after find has started but before xargs has completed all its actions.

However, there are other security issues that exist even if it is not possible for an attacker to have access to the filesystem in real time. Firstly, if it is possible for an attacker to create files with names of their choice on the filesystem, then xargs is insecure unless the ‘-0’ option is used. If a file with the name /home/someuser/foo/bar\n/etc/passwd exists (assume that ‘\n’ stands for a newline character), then find … -print can be persuaded to print three separate lines:

/home/someuser/foo/bar

/etc/passwd

If it finds a blank line in the input, xargs will ignore it. Therefore, if some action is to be taken on the basis of this list of files, the /etc/passwd file would be included even if this was not the intent of the person running find. There are circumstances in which an attacker can use this to their advantage. The same consideration applies to file names containing ordinary spaces rather than newlines, except that of course the list of file names will no longer contain an “extra” newline.

This problem is an unavoidable consequence of the default behaviour of the xargs command, which is specified by the POSIX standard. The only ways to avoid this problem are either to avoid all use of xargs in favour for example of ‘find -exec’ or (where available) ‘find -execdir’, or to use the ‘-0’ option, which ensures that xargs considers file names to be separated by ASCII NUL characters rather than whitespace. However, useful as this option is, the POSIX standard does not make it mandatory.

POSIX also specifies that xargs interprets quoting and trailing whitespace specially in filenames, too. This means that using find ... -print | xargs ... can cause the commands run by xargs to receive a list of file names which is not the same as the list printed by find. The interpretation of quotes and trailing whitespace is turned off by the ‘-0’ argument to xargs, which is another reason to use that option.