Let's say someone provides you with a tarball, saying it is source code and nothing else. You want to make sure that is true, and that no virus-laden executables or libraries are tucked away in a directory. How to use the find command to do this?
Thanks.
You can uncompress the file in a safe place (like a filesystem mounted noexec) and check the resulting directories for binaries. The file command can tell you whether a file is text, source code, binary, etc.
[root@xt ~]# file ./packages/Digest-MD5-2.33/t/badfile.t
./packages/Digest-MD5-2.33/t/badfile.t: ASCII text
[root@xt ~]# file ./packages/Digest-MD5-2.33/MD5.pm
./packages/Digest-MD5-2.33/MD5.pm: Perl5 module source text
[root@xt ~]# file ./packages/rrdtool-1.0.50/src/gdpng.o
./packages/rrdtool-1.0.50/src/gdpng.o: ELF 64-bit LSB relocatable, AMD x86-64, version 1 (SYSV), not stripped
Something like the following, where you filter for ELF executables would work:
find . -type f -exec file {} + | grep ELF
And the output would be:
[root@xt ~]# find . -type f -exec file {} + | grep ELF
./packages/rrdtool-1.0.50/gd1.3/gdfontl.o: ELF 64-bit LSB relocatable, AMD x86-64, version 1 (SYSV), not stripped
./packages/rrdtool-1.0.50/gd1.3/gdfontmb.o: ELF 64-bit LSB relocatable, AMD x86-64, version 1 (SYSV), not stripped
./packages/rrdtool-1.0.50/gd1.3/gdlucidan10l2.o: ELF 64-bit LSB relocatable, AMD x86-64, version 1 (SYSV), not stripped
./packages/rrdtool-1.0.50/gd1.3/gdlucidab14.o: ELF 64-bit LSB relocatable, AMD x86-64, version 1 (SYSV), not stripped
./packages/rrdtool-1.0.50/gd1.3/gdlucidan10.o: ELF 64-bit LSB relocatable, AMD x86-64, version 1 (SYSV), not stripped
A file marked executable need not be a executable or loadable file or object.
Here is what I use:
find ./ -type f -name "*" -not -name "*.o" -exec sh -c '
case "$(head -n 1 "$1")" in
?ELF*) exit 0;;
MZ*) exit 0;;
#!*/ocamlrun*)exit0;;
esac
exit 1
' sh {} \; -print
