find: Levels of Risk
1
1 11.1 Levels of Risk
1 ===================
1
1 There are some security risks inherent in the use of 'find', 'xargs' and
1 (to a lesser extent) 'locate'. The severity of these risks depends on
1 what sort of system you are using:
1
1 *High risk*
1 Multi-user systems where you do not control (or trust) the other
1 users, and on which you execute 'find', including areas where those
1 other users can manipulate the filesystem (for example beneath
1 '/home' or '/tmp').
1
1 *Medium Risk*
1 Systems where the actions of other users can create file names
1 chosen by them, but to which they don't have access while 'find' is
1 being run. This access might include leaving programs running
1 (shell background jobs, 'at' or 'cron' tasks, for example). On
1 these sorts of systems, carefully written commands (avoiding use of
1 '-print' for example) should not expose you to a high degree of
1 risk. Most systems fall into this category.
1
1 *Low Risk*
1 Systems to which untrusted parties do not have access, cannot
1 create file names of their own choice (even remotely) and which
1 contain no security flaws which might enable an untrusted third
1 party to gain access. Most systems do not fall into this category
1 because there are many ways in which external parties can affect
1 the names of files that are created on your system. The system on
1 which I am writing this for example automatically downloads
1 software updates from the Internet; the names of the files in which
1 these updates exist are chosen by third parties(1).
1
1 In the discussion above, "risk" denotes the likelihood that someone
1 can cause 'find', 'xargs', 'locate' or some other program which is
1 controlled by them to do something you did not intend. The levels of
1 risk suggested do not take any account of the consequences of this sort
1 of event. That is, if you operate a "low risk" type system, but the
1 consequences of a security problem are disastrous, then you should still
1 give serious thought to all the possible security problems, many of
1 which of course will not be discussed here - this section of the manual
1 is intended to be informative but not comprehensive or exhaustive.
1
1 If you are responsible for the operation of a system where the
1 consequences of a security problem could be very important, you should
1 do two things:
1
1 1. Define a security policy which defines who is allowed to do what on
1 your system.
1 2. Seek competent advice on how to enforce your policy, detect
1 breaches of that policy, and take account of any potential problems
1 that might fall outside the scope of your policy.
1
1 ---------- Footnotes ----------
1
1 (1) Of course, I trust these parties to a large extent anyway,
1 because I install software provided by them; I choose to trust them in
1 this way, and that's a deliberate choice
1