catalog Info Catalog previous find: Levels of Risk up find: Security Considerations next find: Security Considerations for xargs

find: Security Considerations for find

 
 11.2 Security Considerations for 'find'
 =======================================
 
 Some of the actions 'find' might take have a direct effect; these
 include '-exec' and '-delete'.  However, it is also common to use
 '-print' explicitly or implicitly, and so if 'find' produces the wrong
 list of file names, that can also be a security problem; consider the
 case for example where 'find' is producing a list of files to be
 deleted.
 
    We normally assume that the 'find' command line expresses the file
 selection criteria and actions that the user had in mind - that is, the
 command line is "trusted" data.
 
    From a security analysis point of view, the output of 'find' should
 be correct; that is, the output should contain only the names of those
 files which meet the user's criteria specified on the command line.
 This applies for the '-exec' and '-delete' actions; one can consider
 these to be part of the output.
 
    On the other hand, the contents of the filesystem can be manipulated
 by other people, and hence we regard this as "untrusted" data.  This
 implies that the 'find' command line is a filter which converts the
 untrusted contents of the filesystem into a correct list of output
 files.
 
    The filesystem will in general change while 'find' is searching it;
 in fact, most of the potential security problems with 'find' relate to
 this issue in some way.
 
    "Race conditions" are a general class of security problem where the
 relative ordering of actions taken by 'find' (for example) and something
 else are critically important in getting the correct and expected
 result(1) .
 
    For 'find', an attacker might move or rename files or directories in
 the hope that an action might be taken against a file which was not
 normally intended to be affected.  Alternatively, this sort of attack
 might be intended to persuade 'find' to search part of the filesystem
 which would not normally be included in the search (defeating the
 '-prune' action for example).

Menu

 
· Problems with -exec and filenames
· Changing the Current Working Directory
· Race Conditions with -exec
· Race Conditions with -print and -print0
 
    ---------- Footnotes ----------
 
    (1) This is more or less the definition of the term "race condition"
catalog Info Catalog previous find: Levels of Risk up find: Security Considerations next find: Security Considerations for xargs