Re: What is the security hole in find -exec rm -- {} \; ?
On Wed, Sep 02, 1998 at 08:27:25PM +0100, Chris Reed wrote:
>
> Sorry if this is a FAQ, but;
>
> in the debian cron package (3.0pl1-45 is the one I'm looking at),
> /etc/cron.daily/standard says:
>
> # The following three find commands are commented out do to the
> # severe, easily exploited security hole introduced by 'find . _stuff_
> # | xargs rm' style commands. Changing it to '-exec rm {}' doesn't
> # help.
[snipped rest of code and speculation as to the hole]
> If there is still some security hole, then what is it? And is
> /etc/rcS.d/S55bootmisc.sh (from sysvinit) not at risk from the same
> problems?
The security hole here is a race condition where find can be manipulated
into handing a filename to rm which refers to a different file by the time
rm runs (by using deeply nested directories and symlinks). The boot script
isn't a security hole because it runs at a time when there isn't anyone
logged into the system to exploit such a race condition.
--
| The idea that an arbitrary naive human should be
Scott K. Ellis | able to properly use a given tool without
storm@gate.net | training or understanding is even more wrong for
| computing than it is for other tools (e.g.
| automobiles, airplanes, guns, power saws).
Reply to: