Perform file operations in a secure directory. In most cases, a secure directory is a directory no one other than the user, or possibly the administrator, has the ability to read, write, execute, create, move, delete files or otherwise manipulate files. (Other users may read the directory, but generally may not modify the directory's contents in any way.)
Performing file operations in a secure directory eliminates the possibility that an attacker might tamper with the files or file system to exploit a file system vulnerability in a program. These vulnerabilities often exist because there is a loose binding between the file name and the actual file (see FIO01-A. Be careful using functions that use file names for identification). In some cases, file operations can be performed securely (and should be). In other cases, the only way to ensure secure file operations is to perform the operation within a secure directory.
...
This example implementation of a secure_dir() function will ensure that path and all directories above it are owned either by the user or the superuser, and are may not accessible be modified by any other users. When checking directories, it is important to traverse from the root to the top in order to avoid a dangerous race condition where an attacker who has privileges to at least one of the directories can delete and recreate a directory after the privilege verification.
...
This compliant solution uses the secure_dir() function above to ensure that an attacker may not tamper with the file that is opened and written to is the intended file, and also the file that is eventually to be opened and subsequently removed.
| Code Block | ||
|---|---|---|
| ||
char *file_name;
FILE *fp;
/* initialize file_name */
if (!secure_dir(file_name)) {
/* Handle Error */
}
fp = fopen(file_name, "w");
if (fp == NULL) {
/* Handle Error */
}
/*... Process file ...*/
if (fclose(fp) != 0) {
/* Handle Error */
}
if (remove(file_name) != 0) {
/* Handle Error */
}
|
...