8.2.1 Changing the Current Working Directory

As find searches the file system, it finds subdirectories and then searches within them by changing its working directory. First, find notices a subdirectory. It then decides if that subdirectory meets the criteria for being searched; that is, any -xdev or -prune expressions are taken into account. The find program will then change working directory and proceed to search the directory.

A race condition attack might take the form that once the checks relevant to -xdev and -prune have been done, an attacker might rename the directory that was being considered, and put in its place a symbolic link that actually points somewhere else.

The idea behind this attack is to fool find into going into the wrong directory. This would leave find with a working directory chosen by an attacker, bypassing any protection apparently provided by -xdev and -prune, and any protection provided by being able to not list particular directories on the find command line. This form of attack is particularly problematic if the attacker can predict when the find command will be run, as is the case with cron tasks for example.

GNU find has specific safeguards to prevent this general class of problem. The exact form of these safeguards depends on the properties of your system.

• O_FOLLOW: Safely changing directory using fchdir().
• Systems without O_NOFOLLOW: Checking for symbolic links after chdir().
• Working with automounters: These can look like race condition exploits
• Problems with dead NFS servers: If you don't have O_FOLLOW, this is a problem.