[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Findutils-patches] [PATCH] Bug 20951: better explanation of indecure $P
From: |
James Youngman |
Subject: |
[Findutils-patches] [PATCH] Bug 20951: better explanation of indecure $PATH. |
Date: |
Sat, 8 Sep 2007 15:27:08 +0100 |
2007-09-08 James Youngman <address@hidden>
* doc/find.texi (Single File): Better explanation of what makes
certain values of $PATH insecure. This fixes Savannah bug
#20951.
* find/find.1 (-execdir): Likewise.
Signed-off-by: James Youngman <address@hidden>
---
NEWS | 9 ++++++---
doc/find.texi | 27 +++++++++++++++++++++------
find/find.1 | 6 ++++--
3 files changed, 31 insertions(+), 11 deletions(-)
diff --git a/NEWS b/NEWS
index 5453209..d53fd4c 100644
--- a/NEWS
+++ b/NEWS
@@ -70,15 +70,18 @@ Added an extra worked example for find (copying a subset of
files).
The locate command's manual page now has a HISTORY section.
+#20951: Very bad/unclear/confusing documentationing for a security
+note of find's -execdir option
+
+#20865: Better documentation on the fact that -delete implies -depth
+and that -delete interacts badly with -prune.
+
#20552: Fixed typos, formatting and section ordering issues in the
find manual page.
#20529: removed spurious 'o' in description of "xargs -a" in
doc/find.texi.
-#20865: Better documentation on the fact that -delete implies -depth
-and that -delete interacts badly with -prune.
-
** Translations
Updated Dutch translation.
diff --git a/doc/find.texi b/doc/find.texi
index 4917501..c3525af 100644
--- a/doc/find.texi
+++ b/doc/find.texi
@@ -2057,12 +2057,27 @@ find . -name '*.h' -execdir diff -u '@address@hidden'
/tmp/master ';'
@end example
@end deffn
-If you use @samp{-execdir}, you must ensure that the current directory
-is not on @var{$PATH}, because otherwise an attacker could make
address@hidden run commands of their choice simply by leaving a
-suitably-named file in the right directory. GNU find will refuse to
-run if you use @samp{-execdir} and the current directory is in
address@hidden
+If you use @samp{-execdir}, you must ensure that the @samp{$PATH}
+variable contains only absolute directory names. Having an empty
+element in @samp{$PATH} or explicitly including @samp{.} (or any other
+non-absolute name) is insecure. GNU find will refuse to run if you
+use @samp{-execdir} and it thinks your @samp{$PATH} setting is
+insecure. For example:
+
address@hidden @samp
address@hidden /bin:/usr/bin:
+Insecure; empty path element (at the end)
address@hidden :/bin:/usr/bin:/usr/local/bin
+Insecure; empty path element (at the start)
address@hidden /bin:/usr/bin::/usr/local/bin
+Insecure; empty path element (two colons in a row)
address@hidden /bin:/usr/bin:.:/usr/local/bin
+Insecure; @samp{.} is a path element (@file{.} is not an absolute file name)
address@hidden /bin:/usr/bin:sbin:/usr/local/bin
+Insecure; @samp{sbin} is not an absolute file name
address@hidden /bin:/usr/bin:/sbin:/usr/local/bin
+Secure (if you control the contents of those directories and any access to
them)
address@hidden table
Another similar option, @samp{-exec} is supported, but is less secure.
@xref{Security Considerations}, for a discussion of the security
diff --git a/find/find.1 b/find/find.1
index c6846cb..c3dcee0 100644
--- a/find/find.1
+++ b/find/find.1
@@ -800,10 +800,12 @@ invocation of
will only list files that exist in the same subdirectory. If you use
this option, you must ensure that your
.B $PATH
-environment variable does not reference the current directory;
+environment variable does not reference `.';
otherwise, an attacker can run any commands they like by leaving an
appropriately-named file in a directory in which you will run
-\-execdir.
+\-execdir. The same applies to having entries in
+.B $PATH
+which are empty or which are not absolute directory names.
.IP "\-fls \fIfile\fR"
True; like \-ls but write to \fIfile\fR like \-fprint.
--
1.5.2.1
- [Findutils-patches] [PATCH] Bug 20951: better explanation of indecure $PATH.,
James Youngman <=