11.2.1 Problems with -exec and filenames

It is safe in many cases to use the ‘-execdir’ action with any file name. Because ‘-execdir’ prefixes the arguments it passes to programs with ‘./’, you will not accidentally pass an argument which is interpreted as an option. For example the file -f would be passed to rm as ./-f, which is harmless.

However, your degree of safety does depend on the nature of the program you are running. For example constructs such as these two commands

# risky
find -exec sh -c "something {}" \;
find -execdir sh -c "something {}" \;

are very dangerous. The reason for this is that the ‘{}’ is expanded to a filename which might contain a semicolon or other characters special to the shell. If for example someone creates the file /tmp/foo; rm -rf $HOME then the two commands above could delete someone’s home directory.

So for this reason do not run any command which will pass untrusted data (such as the names of files) to commands which interpret arguments as commands to be further interpreted (for example ‘sh’).

In the case of the shell, there is a clever workaround for this problem:

# safer
find -exec sh -c 'something "$@"' sh {} \;
find -execdir sh -c 'something "$@"' sh {} \;

This approach is not guaranteed to avoid every problem, but it is much safer than substituting data of an attacker’s choice into the text of a shell command.