find -L -execdir (Was: "find" ends with exit code "0" although exec command returned an error)

Sun, 20 Dec 2015 11:55:06 -0800 

2015-12-20 18:30:36 +0000, James Youngman:
> On Fri, Dec 18, 2015 at 11:43 PM, Stephane Chazelas
> <stephane.chaze...@gmail.com> wrote:
> 
> > At that Q&A, we also discuss the behaviour of GNU find when both
> > -L and -execdir are used for which I think at least the
> > documentation could benefit from some clarification.
> 
> Could you be more specific?
[...]

Hi James

Well what I wrote at the link was quite explicit. But to expand
a bit:

-execdir cmd {} is a feature introduced by BSDs and there, is
explicitely documented to run cmd from  within dirname(file) and
where {} is expanded basename(file).

In the GNU find documentation, it's less clearly stated, but it
mostly says the same thing.

What -execdir does is more described in the -exec section:

 -- Action: -exec command ;
     This insecure variant of the '-execdir' action is specified by
     POSIX. The main difference is that the command is executed in the
     directory from which 'find' was invoked, meaning that '{}' is
     expanded to a relative path starting with the name of one of the
     starting directories, rather than just the basename of the matched
     file.


It says with -execdir, {} is the basename of the file which
(without -L) is not completely true as it's "./" concatenated
with the basename of the file.

With -L (and it's not documented except in a comment in the
code, again see http://unix.stackexchange.com/a/250194), cmd is
not run from dirname(file), and {} is not "./" basename(file),
it's mostly the same as -exec.

/tmp/test$ mkdir -p 1/2/3
/tmp/test$ find . -exec pwd \; -exec echo {} \;
/tmp/test
.
/tmp/test
./1
/tmp/test
./1/2
/tmp/test
./1/2/3
/tmp/test$ find . -execdir pwd \; -execdir echo {} \;
/tmp/test
./.
/tmp/test
./1
/tmp/test/1
./2
/tmp/test/1/2
./3
/tmp/test$ find -L . -execdir pwd \; -execdir echo {} \;
/tmp/test
./.
/tmp/test
././1
/tmp/test
././1/2
/tmp/test
././1/2/3



Ideally, I'd say it would be better if GNU find behaviour was
the same as BSD's (where above you'd get the same output with
and without -L.

If not (as I agree it won't make much difference from a security
point of view as we're following links anyway), IMO the behaviour
should be documented (along with the fact that it diverges from
the original BSD implementation).

The case should probably also be considered in the section that
covers the security implication of using -exec/-execdir.

-- 
Stephane

Reply via email to