find: Security Considerations for xargs
11.3 Security Considerations for 'xargs'
========================================
The description of the race conditions affecting the '-print' action of
'find' shows that 'xargs' cannot be secure if it is possible for an
attacker to modify a filesystem after 'find' has started but before
'xargs' has completed all its actions.
However, there are other security issues that exist even if it is not
possible for an attacker to have access to the filesystem in real time.
Firstly, if it is possible for an attacker to create files with names of
their choice on the filesystem, then 'xargs' is insecure unless the '-0'
option is used. If a file with the name
'/home/someuser/foo/bar\n/etc/passwd' exists (assume that '\n' stands
for a newline character), then 'find ... -print' can be persuaded to
print three separate lines:
/home/someuser/foo/bar
/etc/passwd
If it finds a blank line in the input, 'xargs' will ignore it.
Therefore, if some action is to be taken on the basis of this list of
files, the '/etc/passwd' file would be included even if this was not the
intent of the person running find. There are circumstances in which an
attacker can use this to their advantage. The same consideration
applies to file names containing ordinary spaces rather than newlines,
except that of course the list of file names will no longer contain an
"extra" newline.
This problem is an unavoidable consequence of the default behaviour
of the 'xargs' command, which is specified by the POSIX standard. The
only ways to avoid this problem are either to avoid all use of 'xargs'
in favour for example of 'find -exec' or (where available) 'find
-execdir', or to use the '-0' option, which ensures that 'xargs'
considers file names to be separated by ASCII NUL characters rather than
whitespace. However, useful as this option is, the POSIX standard does
not make it mandatory.
POSIX also specifies that 'xargs' interprets quoting and trailing
whitespace specially in filenames, too. This means that using 'find ...
-print | xargs ...' can cause the commands run by 'xargs' to receive a
list of file names which is not the same as the list printed by 'find'.
The interpretation of quotes and trailing whitespace is turned off by
the '-0' argument to 'xargs', which is another reason to use that
option.