Some of the actions
find might take have a direct effect;
-delete. However, it is also
common to use
find produces the wrong list of file names, that can also be a
security problem; consider the case for example where
producing a list of files to be deleted.
We normally assume that the
find command line expresses the
file selection criteria and actions that the user had in mind – that
is, the command line is “trusted” data.
From a security analysis point of view, the output of
should be correct; that is, the output should contain only the names
of those files which meet the user’s criteria specified on the command
line. This applies for the
one can consider these to be part of the output.
On the other hand, the contents of the filesystem can be manipulated
by other people, and hence we regard this as “untrusted” data. This
implies that the
find command line is a filter which converts
the untrusted contents of the filesystem into a correct list of output
The filesystem will in general change while
find is searching
it; in fact, most of the potential security problems with
relate to this issue in some way.
Race conditions are a general class of security problem where the
relative ordering of actions taken by
find (for example) and
something else are critically important in getting the correct and expected result3 .
find, an attacker might move or rename files or directories in
the hope that an action might be taken against a file which was not
normally intended to be affected. Alternatively, this sort of attack
might be intended to persuade
find to search part of the
filesystem which would not normally be included in the search
-prune action for example).
|• Problems with -exec and filenames|
|• Changing the Current Working Directory|
|• Race Conditions with -exec|
|• Race Conditions with -print and -print0|
This is more or less the definition of the term “race condition”