xargs
The description of the race conditions affecting the ‘-print’
action of find
shows that xargs
cannot be secure if it
is possible for an attacker to modify a filesystem after find
has started but before xargs
has completed all its actions.
However, there are other security issues that exist even if it is not
possible for an attacker to have access to the filesystem in real
time. Firstly, if it is possible for an attacker to create files with
names of their choice on the filesystem, then xargs
is
insecure unless the ‘-0’ option is used. If a file with the name
/home/someuser/foo/bar\n/etc/passwd exists (assume that
‘\n’ stands for a newline character), then find … -print
can be persuaded to print three separate lines:
/home/someuser/foo/bar /etc/passwd
If it finds a blank line in the input, xargs
will ignore it.
Therefore, if some action is to be taken on the basis of this list of
files, the /etc/passwd file would be included even if this was
not the intent of the person running find. There are circumstances in
which an attacker can use this to their advantage. The same
consideration applies to file names containing ordinary spaces rather
than newlines, except that of course the list of file names will no
longer contain an “extra” newline.
This problem is an unavoidable consequence of the default behaviour of
the xargs
command, which is specified by the POSIX standard.
The only ways to avoid this problem are either to avoid all use of
xargs
in favour for example of ‘find -exec’ or (where
available) ‘find -execdir’, or to use the ‘-0’ option, which
ensures that xargs
considers file names to be separated by
ASCII NUL characters rather than whitespace. However, useful as this
option is, the POSIX standard does not make it mandatory.
POSIX also specifies that xargs
interprets quoting and trailing
whitespace specially in filenames, too. This means that using
find ... -print | xargs ...
can cause the commands run by
xargs
to receive a list of file names which is not the same as
the list printed by find
. The interpretation of quotes and
trailing whitespace is turned off by the ‘-0’ argument to
xargs
, which is another reason to use that option.