find searches the filesystem, it finds subdirectories and
then searches within them by changing its working directory. First,
find reaches and recognises a subdirectory. It then decides if that
subdirectory meets the criteria for being searched; that is, any
‘-xdev’ or ‘-prune’ expressions are taken into account. The
find program will then change working directory and proceed to
search the directory.
A race condition attack might take the form that once the checks relevant to ‘-xdev’ and ‘-prune’ have been done, an attacker might rename the directory that was being considered, and put in its place a symbolic link that actually points somewhere else.
The idea behind this attack is to fool
find into going into the
wrong directory. This would leave
find with a working
directory chosen by an attacker, bypassing any protection apparently
provided by ‘-xdev’ and ‘-prune’, and any protection
provided by being able to not list particular directories on
find command line. This form of attack is particularly
problematic if the attacker can predict when the
will be run, as is the case with
cron tasks for example.
find has specific safeguards to prevent this general class
of problem. The exact form of these safeguards depends on the
properties of your system.
|• O_NOFOLLOW||Safely changing directory using |
|• Systems without O_NOFOLLOW||Checking for symbolic links after |