As find searches the file system, it finds subdirectories and then
searches within them by changing its working directory. First,
find
notices a subdirectory. It then decides if that
subdirectory meets the criteria for being searched; that is, any
-xdev or -prune expressions are taken into account. The
find
program will then change working directory and proceed to
search the directory.
A race condition attack might take the form that once the checks relevant to -xdev and -prune have been done, an attacker might rename the directory that was being considered, and put in its place a symbolic link that actually points somewhere else.
The idea behind this attack is to fool find
into going into the
wrong directory. This would leave find
with a working
directory chosen by an attacker, bypassing any protection apparently
provided by -xdev and -prune, and any protection
provided by being able to not list particular directories on
the find
command line. This form of attack is particularly
problematic if the attacker can predict when the find
command
will be run, as is the case with cron
tasks for example.
GNU find
has specific safeguards to prevent this general class
of problem. The exact form of these safeguards depends on the
properties of your system.