find: Levels of Risk

1 
1 11.1 Levels of Risk
1 ===================
1 
1 There are some security risks inherent in the use of 'find', 'xargs' and
1 (to a lesser extent) 'locate'.  The severity of these risks depends on
1 what sort of system you are using:
1 
1 *High risk*
1      Multi-user systems where you do not control (or trust) the other
1      users, and on which you execute 'find', including areas where those
1      other users can manipulate the filesystem (for example beneath
1      '/home' or '/tmp').
1 
1 *Medium Risk*
1      Systems where the actions of other users can create file names
1      chosen by them, but to which they don't have access while 'find' is
1      being run.  This access might include leaving programs running
1      (shell background jobs, 'at' or 'cron' tasks, for example).  On
1      these sorts of systems, carefully written commands (avoiding use of
1      '-print' for example) should not expose you to a high degree of
1      risk.  Most systems fall into this category.
1 
1 *Low Risk*
1      Systems to which untrusted parties do not have access, cannot
1      create file names of their own choice (even remotely) and which
1      contain no security flaws which might enable an untrusted third
1      party to gain access.  Most systems do not fall into this category
1      because there are many ways in which external parties can affect
1      the names of files that are created on your system.  The system on
1      which I am writing this for example automatically downloads
1      software updates from the Internet; the names of the files in which
1      these updates exist are chosen by third parties(1).
1 
1    In the discussion above, "risk" denotes the likelihood that someone
1 can cause 'find', 'xargs', 'locate' or some other program which is
1 controlled by them to do something you did not intend.  The levels of
1 risk suggested do not take any account of the consequences of this sort
1 of event.  That is, if you operate a "low risk" type system, but the
1 consequences of a security problem are disastrous, then you should still
1 give serious thought to all the possible security problems, many of
1 which of course will not be discussed here - this section of the manual
1 is intended to be informative but not comprehensive or exhaustive.
1 
1    If you are responsible for the operation of a system where the
1 consequences of a security problem could be very important, you should
1 do two things:
1 
1   1. Define a security policy which defines who is allowed to do what on
1      your system.
1   2. Seek competent advice on how to enforce your policy, detect
1      breaches of that policy, and take account of any potential problems
1      that might fall outside the scope of your policy.
1 
1    ---------- Footnotes ----------
1 
1    (1) Of course, I trust these parties to a large extent anyway,
1 because I install software provided by them; I choose to trust them in
1 this way, and that's a deliberate choice
1