Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM Cost Reform

When working with files, it is important to ensure all operations take place File operations should be performed in a secure directory. In most cases this means that , a secure directory is a directory in which no one other than the user or superuser (or Administrator) , or possibly the administrator, has the ability to readcreate, writerename, execute, createdelete, move, or delete files. Since C99 makes no mention of the concept of file systems or file permissions, any solution would necessarily be platform specific and likely not very portable.

For examples on how to create a secure directory inside another secure directory see FIO15-A. Do not create temporary files in shared directories.

Non-Compliant Code Example

This code example attempts to save a secret in a file specified by path. While path is assumed to come from a trusted source (see FIO02-A. Canonicalize path names originating from untrusted sources), this does not imply that an attacker will not be able to read the secret after it is written out to file.

otherwise manipulate files. (Other users may read or search the directory but generally may not modify the directory's contents in any way.) Also, other users must not be able to delete or rename files in the parent of the secure directory and all higher directories, although creating new files or deleting or renaming files they own is permissible.

Performing file operations in a secure directory eliminates the possibility that an attacker might tamper with the files or file system to exploit a file system vulnerability in a program. These vulnerabilities often exist because there is a loose binding between the file name and the actual file. (See FIO01-C. Be careful using functions that use file names for identification.) In some cases, file operations can be performed securely anywhere. In other cases, the only way to ensure secure file operations is to perform the operation within a secure directory.

Ensuring that file systems are configured in a safe manner is typically a system administration function. However, programs can often check that a file system is securely configured before performing file operations that may lead to security vulnerabilities if the system is misconfigured. There is a slight possibility that file systems will be reconfigured in an insecure manner while a process is running and after the check has been made. As a result, it is always advisable to implement your code in a secure manner (that is, consistent with the other rules and recommendations in this section) even when running in a secure directory.

Noncompliant Code Example

In this noncompliant code example, the file identified by file_name is opened, processed, closed, and removed:

Code Block
bgColor#FFCCCC
langc
char *file_name;
FILE *fp;

/* Initialize file_name */

fp = fopen(file_name, "w");
if (fp == NULL) {
  /* Handle error */
}

/* ... Process file ... */

if (fclose(fp) != 0
Code Block
bgColor#ffcccc

void write_secret(const char* path, secret_t my_secret) {
  /* save my_secret to the file specified by path */
}
Handle error */
}

if (remove(file_name) != 0) {
  /* Handle error */
}

An attacker can replace the file object identified by file_name with a link to an arbitrary file before the call to fopen(). It is also possible that the file object identified by file_name in the call to remove() is not the same file object identified by file_name in the call to fopen(). If the file is not in a secure directory, for example, /tmp/app/tmpdir/passwd, then an attacker can manipulate the location of the file as follows:

Code Block
% cd /tmp/app/ 
% rm -rf tmpdir
% ln -s /etc tmpdir

Not much can be done programmatically to ensure the file removed is the same file that was opened, processed, and closed, except to make sure that the file is opened in a secure directory with privileges that would prevent the file from being manipulated by an untrusted user.

Compliant Solution (POSIX)

This example sample implementation of a the function secure_dir() function will ensure that path ensures that the directory fullpath and all directories above it are owned by either by the user or the superuser , and are not accessible by any that other users do not have write access to the directories. When checking directories, it is important to traverse from the root to the top in order leaf to avoid a dangerous race condition where in which an attacker who has privileges to at least one of the directories can delete rename and recreate re-create a directory after the privilege verification.

fullpath need not be canonicalized (see FIO02-C. Canonicalize path names originating from tainted sources). If the path contains a symbolic link, this routine recursively invokes itself on the linked-to directory and ensures it is also secure. A symbolically linked directory may be secure if both its source and linked-to directory are secure.

Note that this function is effective only on file systems that are fully compatible with UNIX permissions, and it may not behave normally for file systems with other permission mechanisms, such as AFS (Andrew File System).

Code Block
bgColor#ccccff
langc
#include <stdlib.h>
#include <stdlib<limits.h>
#include <unistd<string.h>
#include <libgen.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>

enum { MAX_SYMLINKS = 5 };

/* Returns nonzero if directory is secure, zero otherwise */
int secure_dir(const char * pathfullpath) {
  char *realpath_resstatic unsigned int num_symlinks = realpath(path, NULL)0;
  char *path_copy = NULL;
  char *dirname_res*dirs = NULL;
  char ** dirs;
  int num_of_dirs = 01;
  int insecuresecure = 01;
  int i, r;
  struct stat buf;
  uid_t my_uid = getuidgeteuid();
  uidsize_t my_gid = getgid();
 linksize;
  char* link;
   
  if (!fullpath || fullpath[0] != '/') {
    /* Handle error */
  }
   
  if (realpathnum_ressymlinks == NULL> MAX_SYMLINKS) {  /* Could be a symlink loop */
    /* Handle Errorerror */
  }
  
  if (!(path_copy = strdup(pathfullpath))) {
    /* Handle Errorerror */
  }
  
  /* Figure out how far it is to the root */
  while (1) {
    dirname_reschar* path_parent = dirname(path_copy);
  for (; free((strcmp(path_copy);
    path_copy = NULL;

    num_of_dirs++;

parent, "/") != 0) &&
         if ((strcmp(dirnamepath_resparent, ".//") !== 0) &&
    ||      (strcmp(dirnamepath_resparent, "/.") !== 0)) {
      break;
    }

    if (!(path_copyparent = strdupdirname(dirnamepath_resparent))) {
    num_of_dirs++;
  } /* Handle Error */
    }
  }Now num_of_dirs indicates # of dirs we must check */
  free(path_copy);
  path_copy = NULL;

  /* Now allocate and fill the dirs array */
  if (!(dirs = (char **) malloc(num_of_dirs * sizeof(char *dirs)))) {
    /* Handle Errorerror */
  }
   
  if (!(dirs[num_of_dirs - 1] = strdup(pathfullpath))) {
    /* Handle Errorerror */
  }
  
  if (!(path_copy = strdup(pathfullpath))) {
    /* Handle Errorerror */
  }

  for
 (i =/* 1;Now ifill <the num_of_dirs; i++) {array */
    dirnamepath_resparent = dirname(path_copy);
  for  free(path_copy);
    path_copy = NULL;

    if (!(dirs[(i = num_of_dirs - 2; i - 1] = strdup(dirname_res)))>= 0; i--) {
    path_parent  /* Handle Error */
    }

= dirname(path_parent);
    if (!(path_copydirs[i] = strdup(dirnamepath_resparent))) {
      /* Handle Errorerror */
    }
  }
  free(path_copy);
  path_copy = NULL;
  
  /*
   * Traverse from the root to the topfullpath, checking
   * checking permissions along the way.
   */
  for (i = 0; i < num_of_dirs; i++) {
    if (statlstat(dirs[i], &buf) != 0) {
       /* Handle Errorerror */
    }
     
    if (!((S_ISLNK(buf.st_mode)) { /* Symlink, test linked-to file */
      linksize = buf.st_uid == my_uid) || (buf.st_uid == 0)size + 1;
      if (!(link = (char *)malloc(linksize))) {
        /* Handle error */
      }
       
      r = readlink(dirs[i], link, linksize);
      if (r == -1) {
        /* Handle error */
      } else if (r >= linksize) {
        /* Handle truncation error */
      }
      link[r] = '\0';
 
      num_symlinks++;
      r = secure_dir(link);
      num_symlinks--;
        ||(buf.st_gid == my_gid) || (buf.st_gid == 0)
      if (!r) {
        secure = 0;
 
        free(link);
        link = NULL;
        break;
      }
       
      free(link);
      link = NULL;
       
      continue;
    }
     
    if (!S_ISDIR(buf.st_mode)) { /* Not a directory */
      secure = 0;
      break;
    }
     
   || if ((buf.st_mode & S_IRWXO)))uid != my_uid) && (buf.st_uid != 0)) {
      /* Directory is owned by someone besides user or has a group other than root root */
      secure = 0;
      break;
    }
     
    if (buf.st_mode & (S_IWGRP | S_IWOTH)) { /* ordir file is accessiblewritable by other usersothers */
      insecuresecure = -1 0;
      break;
    }
  }
   
  for (i = 0; i < num_of_dirs; i++) {
    free(dirs[i]);
    dirs[i] = NULL;
  }
  
  free(dirs);
  dirs = NULL;
  
  return insecuresecure;
}

This compliant solution uses the secure_dir() function above to verify that my_secret is written to a secure fileensure that an attacker may not tamper with the file to be opened and subsequently removed. Note that once the path name of a directory has been checked using secure_dir(), all further file operations on that directory must be performed using the same path.

Code Block
bgColor#ccccff
langc
char *dir_name;
const char *file_name = "passwd"; /* File name within the secure directory */
FILE *fp;

/* Initialize dir_name */

if (!secure_dir(dir_name)) {
  /* Handle error */
}

if (chdir(dir_name) == -1) {
  /* Handle error */
}

fp = fopen(file_name, "w");
if (fp == NULL
void write_secret(const char* path, secret_t my_secret) {
  if (secure_dir(path) != 0) {
  /* Handle error */
}

/* Handle Error ... Process file ... */

if  }(fclose(fp) != 0) {
  /* save my_secret to the file specified by path Handle error */
}

if (remove(file_name) != 0) {
  /* Handle error */
}

Risk Assessment

Failing to ensure proper permissions perform file I/O operations in a directory may lead to sensitive data getting saved to (or critical configuration or other input files being read from) public directories to which an attacker has accesssecure directory that cannot otherwise be securely performed can result in a broad range of file system vulnerabilities.

Recommendation

Severity

Likelihood

Detectable

Remediation Cost

Repairable

Priority

Level

FIO17

FIO15-

A

C

Medium

medium

Probable

probable

No

high

No

P4

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\]
\[[Open Group 04|AA. C References#Open Group 04]\] [{{dirname()}}|http://www.opengroup.org/onlinepubs/009695399/functions/dirname.html], [{{realpath()}}|http://www.opengroup.org/onlinepubs/009695399/functions/realpath.html]
\[[Viega 03|AA. C References#Viega 03]\] Section 2.4, "Determining Whether a Directory Is Secure"

Related Guidelines

SEI CERT C++ Coding StandardVOID FIO15-CPP. Ensure that file operations are performed in a secure directory
MITRE CWECWE-379, Creation of temporary file in directory with insecure permissions
CWE-552, Files or directories accessible to external parties

Bibliography

[IEEE Std 1003.1:2013]XSH, System Interfaces, dirname
XSH, System Interfaces, realpath
[Viega 2003]Section 2.4, "Determining Whether a Directory Is Secure"


...

Image Added Image Added FIO16-A. Limit access to files by creating a jail      09. Input Output (FIO)       Image Modified