...
For OpenBSD and Linux operating systems, any file created will have mode S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH (0666), as modified by the process's umask value. (See fopen(3) in the OpenBSD Manual Pages [OpenBSD].)
Compliant Solution (fopen_s(), C11 Annex K)
The C11 Annex K function fopen_s() can be used to create a file with restricted permissions [ISO/IEC 9899:2011]:
If the file is being created, and the first character of the mode string is not 'u', to the extent that the underlying system supports it, the file shall have a file permission that prevents other users on the system from accessing the file. If the file is being created and the first character of the mode string is 'u', then by the time the file has been closed, it shall have the system default file access permissions.
The u character can be thought of as standing for "umask," meaning that these are the same permissions that the file would have been created with had it been created by fopen(). In this compliant solution, the u mode character is omitted so that the file is opened with restricted privileges (regardless of the umask):
| Code Block | ||||
|---|---|---|---|---|
| ||||
char *file_name;
FILE *fp;
/* Initialize file_name */
errno_t res = fopen_s(&fp, file_name, "wx");
if (res != 0) {
/* Handle error */
}
|
On Windows, fopen_s() will create the file with security permissions based on the user executing the application. For more controlled permission schemes, consider using the CreateFile() function and specifying the SECURITY_ATTRIBUTES parameter.
Noncompliant Code Example (open(), POSIX)
...
Creating files with weak access permissions may allow unintended access to those files.
Recommendation | Severity | Likelihood | Detectable |
|---|
Repairable | Priority | Level |
|---|---|---|
FIO06-C | Medium | Probable |
No | No | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| BADFUNC.CREATEFILE (customization) | Use of CreateFile CodeSonar's custom checking infrastructure allows users to implement checks such as the following.
| ||||||
| Helix QAC |
| C5013 | |||||||
| LDRA tool suite |
| 44 S | Enhanced Enforcement | ||||||
| Polyspace Bug Finder |
Argument to umask allows external user too much control
Argument gives read/write/search permissions to external users
| CERT C: Rec. FIO06-C | Checks for file opened without setting access permissions. |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| SEI CERT C++ Coding Standard | VOID FIO06-CPP. Create files with appropriate access permissions |
| CERT Oracle Secure Coding Standard for Java | FIO01-J. Create files with appropriate access permissions |
| ISO/IEC TR 24772:2013 | Missing or Inconsistent Access Control [XZN] |
| MITRE CWE | CWE-276, Insecure default permissions CWE-279, Insecure execution-assigned permissions CWE-732, Incorrect permission assignment for critical resource |
Bibliography
| [CVE] |
| [Dowd 2006] | Chapter 9, "UNIX 1: Privileges and Files" |
| [IEEE Std 1003.1:2013] | XSH, System Interfaces, openXSH, System Interfaces, umask |
| [ISO/IEC 9899:2011] | Subclause K.3.5.2.1, "The fopen_s Function" |
| [OpenBSD] |
| [Viega 2003] | Section 2.7, "Restricting Access Permissions for New Files on UNIX" |
...
...