find: Security Considerations for find

1 
1 11.2 Security Considerations for 'find'
1 =======================================
1 
1 Some of the actions 'find' might take have a direct effect; these
1 include '-exec' and '-delete'.  However, it is also common to use
1 '-print' explicitly or implicitly, and so if 'find' produces the wrong
1 list of file names, that can also be a security problem; consider the
1 case for example where 'find' is producing a list of files to be
1 deleted.
1 
1    We normally assume that the 'find' command line expresses the file
1 selection criteria and actions that the user had in mind - that is, the
1 command line is "trusted" data.
1 
1    From a security analysis point of view, the output of 'find' should
1 be correct; that is, the output should contain only the names of those
1 files which meet the user's criteria specified on the command line.
1 This applies for the '-exec' and '-delete' actions; one can consider
1 these to be part of the output.
1 
1    On the other hand, the contents of the filesystem can be manipulated
1 by other people, and hence we regard this as "untrusted" data.  This
1 implies that the 'find' command line is a filter which converts the
1 untrusted contents of the filesystem into a correct list of output
1 files.
1 
1    The filesystem will in general change while 'find' is searching it;
1 in fact, most of the potential security problems with 'find' relate to
1 this issue in some way.
1 
1    "Race conditions" are a general class of security problem where the
1 relative ordering of actions taken by 'find' (for example) and something
1 else are critically important in getting the correct and expected
1 result(1) .
1 
1    For 'find', an attacker might move or rename files or directories in
1 the hope that an action might be taken against a file which was not
1 normally intended to be affected.  Alternatively, this sort of attack
1 might be intended to persuade 'find' to search part of the filesystem
1 which would not normally be included in the search (defeating the
1 '-prune' action for example).
1 

Menu

1 
· Problems with -exec and filenames
· Changing the Current Working Directory
· Race Conditions with -exec
· Race Conditions with -print and -print0
1 
1    ---------- Footnotes ----------
1 
1    (1) This is more or less the definition of the term "race condition"
1