Re: What is the security hole in find -exec rm -- {} \; ?

["Scott K. Ellis" <storm@gate.net>]

On Wed, Sep 02, 1998 at 08:27:25PM +0100, Chris Reed wrote:
>                            
> Sorry if this is a FAQ, but;
> 
> in the debian cron package (3.0pl1-45 is the one I'm looking at), 
> /etc/cron.daily/standard says:
> 
> # The following three find commands are commented out do to the
> # severe, easily exploited security hole introduced by 'find . _stuff_
> # | xargs rm' style commands. Changing it to '-exec rm {}' doesn't
> # help.
[snipped rest of code and speculation as to the hole]
> If there is still some security hole, then what is it?  And is 
> /etc/rcS.d/S55bootmisc.sh (from sysvinit) not at risk from the same 
> problems?

The security hole here is a race condition where find can be manipulated
into handing a filename to rm which refers to a different file by the time
rm runs (by using deeply nested directories and symlinks).  The boot script
isn't a security hole because it runs at a time when there isn't anyone
logged into the system to exploit such a race condition.

-- 
                      |    The idea that an arbitrary naive human should be
    Scott K. Ellis    |        able to properly use a given tool without
    storm@gate.net    |    training or understanding is even more wrong for
                      |       computing than it is for other tools (e.g.
                      |       automobiles, airplanes, guns, power saws).