11.2 Security Considerations for find

Some of the actions find might take have a direct effect; these include -exec and -delete. However, it is also common to use -print explicitly or implicitly, and so if find produces the wrong list of file names, that can also be a security problem; consider the case for example where find is producing a list of files to be deleted.

We normally assume that the find command line expresses the file selection criteria and actions that the user had in mind – that is, the command line is “trusted” data.

From a security analysis point of view, the output of find should be correct; that is, the output should contain only the names of those files which meet the user’s criteria specified on the command line. This applies for the -exec and -delete actions; one can consider these to be part of the output.

On the other hand, the contents of the filesystem can be manipulated by other people, and hence we regard this as “untrusted” data. This implies that the find command line is a filter which converts the untrusted contents of the filesystem into a correct list of output files.

The filesystem will in general change while find is searching it; in fact, most of the potential security problems with find relate to this issue in some way.

Race conditions are a general class of security problem where the relative ordering of actions taken by find (for example) and something else are critically important in getting the correct and expected result3 .

For find, an attacker might move or rename files or directories in the hope that an action might be taken against a file which was not normally intended to be affected. Alternatively, this sort of attack might be intended to persuade find to search part of the filesystem which would not normally be included in the search (defeating the -prune action for example).


Footnotes

(3)

This is more or less the definition of the term “race condition”