findutils-patches
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Findutils-patches] [PATCH] Bug 20951: better explanation of indecure $P


From: James Youngman
Subject: [Findutils-patches] [PATCH] Bug 20951: better explanation of indecure $PATH.
Date: Sat, 8 Sep 2007 15:27:08 +0100

2007-09-08  James Youngman  <address@hidden>

        * doc/find.texi (Single File): Better explanation of what makes
        certain values of $PATH insecure.  This fixes Savannah bug
        #20951.
        * find/find.1 (-execdir): Likewise.

Signed-off-by: James Youngman <address@hidden>
---
 NEWS          |    9 ++++++---
 doc/find.texi |   27 +++++++++++++++++++++------
 find/find.1   |    6 ++++--
 3 files changed, 31 insertions(+), 11 deletions(-)

diff --git a/NEWS b/NEWS
index 5453209..d53fd4c 100644
--- a/NEWS
+++ b/NEWS
@@ -70,15 +70,18 @@ Added an extra worked example for find (copying a subset of 
files).
 
 The locate command's manual page now has a HISTORY section.
 
+#20951: Very bad/unclear/confusing documentationing for a security
+note of find's -execdir option
+
+#20865: Better documentation on the fact that -delete implies -depth 
+and that -delete interacts badly with -prune.
+
 #20552: Fixed typos, formatting and section ordering issues in the
 find manual page.
 
 #20529: removed spurious 'o' in description of "xargs -a" in
 doc/find.texi. 
 
-#20865: Better documentation on the fact that -delete implies -depth 
-and that -delete interacts badly with -prune.
-
 ** Translations
 
 Updated Dutch translation.
diff --git a/doc/find.texi b/doc/find.texi
index 4917501..c3525af 100644
--- a/doc/find.texi
+++ b/doc/find.texi
@@ -2057,12 +2057,27 @@ find . -name '*.h' -execdir diff -u '@address@hidden' 
/tmp/master ';'
 @end example
 @end deffn
 
-If you use @samp{-execdir}, you must ensure that the current directory
-is not on @var{$PATH}, because otherwise an attacker could make
address@hidden run commands of their choice simply by leaving a
-suitably-named file in the right directory.  GNU find will refuse to
-run if you use @samp{-execdir} and the current directory is in
address@hidden
+If you use @samp{-execdir}, you must ensure that the @samp{$PATH}
+variable contains only absolute directory names.  Having an empty
+element in @samp{$PATH} or explicitly including @samp{.} (or any other
+non-absolute name) is insecure.  GNU find will refuse to run if you
+use @samp{-execdir} and it thinks your @samp{$PATH} setting is
+insecure.  For example:
+
address@hidden @samp
address@hidden /bin:/usr/bin:
+Insecure; empty path element (at the end)
address@hidden :/bin:/usr/bin:/usr/local/bin
+Insecure; empty path element (at the start)
address@hidden /bin:/usr/bin::/usr/local/bin
+Insecure; empty path element (two colons in a row)
address@hidden /bin:/usr/bin:.:/usr/local/bin
+Insecure; @samp{.} is a path element (@file{.} is not an absolute file name)
address@hidden /bin:/usr/bin:sbin:/usr/local/bin
+Insecure; @samp{sbin} is not an absolute file name
address@hidden /bin:/usr/bin:/sbin:/usr/local/bin
+Secure (if you control the contents of those directories and any access to 
them)
address@hidden table
 
 Another similar option, @samp{-exec} is supported, but is less secure.
 @xref{Security Considerations}, for a discussion of the security
diff --git a/find/find.1 b/find/find.1
index c6846cb..c3dcee0 100644
--- a/find/find.1
+++ b/find/find.1
@@ -800,10 +800,12 @@ invocation of
 will only list files that exist in the same subdirectory.  If you use
 this option, you must ensure that your 
 .B $PATH
-environment variable does not reference the current directory;
+environment variable does not reference `.';
 otherwise, an attacker can run any commands they like by leaving an
 appropriately-named file in a directory in which you will run
-\-execdir.
+\-execdir.  The same applies to having entries in 
+.B $PATH
+which are empty or which are not absolute directory names.
 
 .IP "\-fls \fIfile\fR"
 True; like \-ls but write to \fIfile\fR like \-fprint.
-- 
1.5.2.1





reply via email to

[Prev in Thread] Current Thread [Next in Thread]