Levels of Risk - Finding Files

Next: Security Considerations for find, Up: Security Considerations

8.1 Levels of Risk

There are some security risks inherent in the use of find, xargs and (to a lesser extent) locate. The severity of these risks depends on what sort of system you are using:

High risk: Multi-user systems where you do not control (or trust) the other users, and on which you execute find, including areas where those other users can manipulate the filesystem (for example beneath /home or /tmp).
Medium Risk: Systems where the actions of other users can create filenames chosen by them, but to which they don't have access while find is being run. This access might include leaving programs running (shell background jobs, at or cron tasks, for example). On these sorts of systems, carefully written commands (avoiding use of -print for example) should not expose you to a high degree of risk. Most systems fall into this category.
Low Risk: Systems to which untrusted parties do not have access, cannot create filenames of their own choice (even remotely) and which contain no security flaws which might enable an untrusted third party to gain access. Most systems do not fall into this category because there are many ways in which external parties can affect the names of files that are created on your system. The system on which I am writing this for example automatically downloads software updates from the Internet; the names of the files in which these updates exist are chosen by third parties¹.

In the discussion above, “risk” denotes the likelihood that someone can cause find, xargs, locate or some other program which is controlled by them to do something you did not intend. The levels of risk suggested do not take any account of the consequences of this sort of event. That is, if you operate a “low risk” type system, but the consequences of a security problem are disastrous, then you should still give serious thought to all the possible security problems, many of which of course will not be discussed here – this section of the manual is intended to be informative but not comprehensive or exhaustive.

If you are responsible for the operation of a system where the consequences of a security problem could be very important, you should do two things:-

Define a security policy which defines who is allowed to do what on your system
Seek competent advice on how to enforce your policy, detect breaches of that policy, and take account of any potential problems that might fall outside the scope of your policy

Footnotes

[1] Of course, I trust these parties to a large extent anyway, because I install software provided by them; I choose to trust them in this way, and that's a deliberate choice