Page History

...

When creating new files, it may be possible to use functions that only create a new file where a file does not already exist. This prevents the application from overwriting an existing file during file creation. (see See recommendation FIO03-C. Do not make assumptions about fopen() and file creation.).

In rare cases, it is necessary to check for the existence of symbolic or hard links to ensure that a program is reading from an intended file and not a different file in another directory. In these cases, avoid creating a race condition when checking for the existence of symbolic links. (see See rule POS35-C. Avoid race conditions while checking for the existence of a symbolic link.).

Noncompliant Code Example

...

If the process is running with elevated privileges, an attacker can exploit this code, for example, by replacing the file with a symbolic link to the /etc/passwd authentication file. The attacker can then overwrite data stored in the password file to create a new root account with no password. As a result, this attack can be used to gain root privileges on a vulnerable system.

...

Some systems provide the O_NOFOLLOW flag to help mitigate this problem.  The flag will be required by the forthcoming POSIX.1-2008 standard, and so will become more portable over time \[[Austin Group 082008|AA. Bibliography#Austin Group 08]\]. If the flag is set and the supplied {{file_name}} is a symbolic link, then the open will fail.

...

This compliant solution uses the lstat-fopen-fstat idiom illustrated in recommendation FIO05-C. Identify files using multiple file attributes.

...

This code is still subject to a TOCTOU race condition, but, before doing any operation on the file, it verifies that the file opened is the same file as was previously checked (by checking the file's device and i-node.) As a result, the code will recognize if an attacker has tampered with the file during the race window , and can operate accordingly.

...

One way to deal with hard links is simply to disallow opening of any file with two or more hard links. The following code snippet, when inserted into the previous example, will identify if a file has multiple hard links.

...

Because a hard link may not be created if the link and the linked-to file are on different devices, many platforms will place system-critical files on a different device than user-editable files. For instance, the / directory, which contains critical system files like /etc/passwd, would live on one hard drive, while the /home directory, which contains user-editable files, would reside on a separate hard drive. This prevents users, for example, from creating hard links to /etc/passwd.

...

Automated Detection

...

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Bibliography

Related Guidelines

MITRE CWE: CWE-59, "Failure to Resolve Links Before File Access (aka 'Link Following')"

MITRE CWE: CWE-362, "Race Condition"

MITRE CWE: CWE-367, "Time-of-check Time-of-use (TOCTOU) Race Condition"

Bibliography

\[[Austin Group 2008|AA. Bibliography#Austin Group 08]\]

\[[Austin Group 08|AA. Bibliography#Austin Group 08]\]
\[[MITRE|AA. Bibliography#MITRE]\] [CWE ID 59|http://cwe.mitre.org/data/definitions/59.html], "Failure to Resolve Links Before File Access (aka 'Link Following')"
\[MITRE\] [CWE ID 362|http://cwe.mitre.org/data/definitions/362.html], "Race Condition"
\[MITRE\] [CWE ID 367|http://cwe.mitre.org/data/definitions/367.html], "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition"
\[[Open Group 042004|AA. Bibliography#Open Group 04]\] [{{open()}}|http://www.opengroup.org/onlinepubs/009695399/functions/open.html]
\[[Seacord 052005|AA. Bibliography#Seacord 05]\] Chapter 7, "File I/O"

...