11.2.2 Changing the Current Working Directory

As find searches the filesystem, it finds subdirectories and then searches within them by changing its working directory. First, find reaches and recognises a subdirectory. It then decides if that subdirectory meets the criteria for being searched; that is, any ‘-xdev’ or ‘-prune’ expressions are taken into account. The find program will then change working directory and proceed to search the directory.

A race condition attack might take the form that once the checks relevant to ‘-xdev’ and ‘-prune’ have been done, an attacker might rename the directory that was being considered, and put in its place a symbolic link that actually points somewhere else.

The idea behind this attack is to fool find into going into the wrong directory. This would leave find with a working directory chosen by an attacker, bypassing any protection apparently provided by ‘-xdev’ and ‘-prune’, and any protection provided by being able to not list particular directories on the find command line. This form of attack is particularly problematic if the attacker can predict when the find command will be run, as is the case with cron tasks for example.

GNU find has specific safeguards to prevent this general class of problem. The exact form of these safeguards depends on the properties of your system.