find -print0 (24 Jul 2003)
See, I don't understand what all this filesharing fuss is about. People put so much effort into Kazaa, Gnutella and other weirdly named stuff.
All you need is a user running a buggy version of phpBB, a gigabaud link to the Internet and people will upload stuff to you! 84GB of stuff to be precise onto our primary fileserver. It says something about the systems at Imperial that this was such small fry that it didn't even register for a few days until they setup ftp servers and our webserver was a couple of places higher than normal on the list of hosts by outbound traffic.
What's really amusing is watching the script kiddie's exploit. (Yes, we keep
full packet logs of everything for a couple of weeks, so we just scanned back
and selected that TCP stream). They connected and it's so obvious that they
didn't have a clue. They were pasting commands in (multiple commands in 1
packet) and couldn't use grep. They would ls -lR to find somewhere to
put their files and hit ^C after a while ... before doing it again and trying
to hit ^C at the right place because it had gone off the top of the screen 
.
(I would usually lock php right down to stop user level compromises like this. But it's a university and we are ment to give them pretty free run. And yes, the user web and db servers do get buggered silly on a fairly regular basis as scripts run amok.)
I was explaining to someone the importance of using the -print0 argument to find when working in untrusted paths. Often the output of find is piped into a program like xargs using newlines to deliminate files. The -print0 (and -0 option to xargs) uses null bytes insted.
Try this example:
% python
Python 2.2.3 (#1, Jul 12 2003, 15:30:57)
[GCC 3.2.3 20030422 (Gentoo Linux 1.4 3.2.3-r1, propolice)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> os.mkdir ("foo\n"); os.mkdir ("foo\n/etc");
>>> open ("foo\n/etc/passwd", "w+").close ()
>>>
% find
.
./foo
./foo
/etc
./foo
/etc/passwd
Opps! Where did /etc/passwd come from? Lets hope that that xargs wasn't doing anything nasty.