 
                            File operations should be performed in a secure directory. In most cases, a secure directory is a directory in which no one other than the user, or possibly the administrator, has the ability to create, rename, delete, or otherwise manipulate files. (Other users may read or search the directory , but generally may not modify the directory's contents in any way.) Also, other users must not be able to delete or rename files in the parent of the secure directory and all higher directories, although creating new files , or deleting or renaming files they own is permissible.
Performing file operations in a secure directory eliminates the possibility that an attacker might tamper with the files or file system to exploit a file system vulnerability in a program. These vulnerabilities often exist because there is a loose binding between the file name and the actual file. (See recommendation FIO01-C. Be careful using functions that use file names for identification.) In some cases, file operations can be performed securely anywhere. In other cases, the only way to ensure secure file operations is to perform the operation within a secure directory.
Ensuring that file systems are configured in a safe manner is typically a system administration function. However, programs can often check that a file system is securely configured before performing file operations that may potentially lead to security vulnerabilities if the system is misconfigured. There is a slight possibility that file systems will be reconfigured in an insecure manner while a process is running and after the check has been made. As a result, it is always advisable to implement your code in a secure manner (that is, consistent with the other rules and recommendations in this section) even when running in a secure directory.
...
In this noncompliant code example, the file identified by file_name is opened, processed, closed, and removed.:
| Code Block | ||||
|---|---|---|---|---|
| 
 | ||||
| char *file_name; FILE *fp; /* initializeInitialize file_name */ fp = fopen(file_name, "w"); if (fp == NULL) { /* Handle error */ } /* ... Process file ... */ if (fclose(fp) != 0) { /* Handle error */ } if (remove(file_name) != 0) { /* Handle error */ } | 
An attacker can replace the file object identified by file_name with a link to an arbitrary file before the call to fopen(). It is also possible that the file object identified by file_name in the call to remove() is not the same file object identified by file_name in the call to fopen(). If the file is not in a secure directory, for example, /tmp/app/tmpdir/passwd, then an attacker can manipulate the location of the file as follows:
| Code Block | 
|---|
| 
% cd /tmp/app/ 
% rm -rf tmpdir
% ln -s /etc tmpdir
 | 
There is not Not much that can be done programmatically done to ensure the file removed is the same file that was opened, processed, and closed, except to make sure that the file is opened in a secure directory with privileges that would prevent the file from being manipulated by an untrusted user.
Compliant Solution (POSIX)
This sample implementation of a the function secure_dir() function ensures that path the directory fullpath and all directories above it are owned by either the user or the superuser , that path does and that other users do not have write access for any other users, and that directories above path may not be deleted or renamed by any other usersto the directories. When checking directories, it is important to traverse from the root to the leaf to avoid a dangerous race condition where in which an attacker who has privileges to at least one of the directories can rename and recreate re-create a directory after the privilege verification.
The path name passed to this function must be absolute, but it does not need to be canonical. (See recommendation fullpath need not be canonicalized (see FIO02-C. Canonicalize path names originating from  untrusted tainted sources). ) If the path contains a symbolic link, this routine will recursively invoke invokes itself on the linked-to directory and ensure ensures it is also secure. A symlinked symbolically linked directory may be secure if both its source and linked-to directory are secure. The function checks every directory in the canonical path, ensuring that every directory is owned by the current user or by root, that the leaf directory disallows write access to everyone but the owner, and that all other directories in the path forbid other users from deleting or renaming files (either by turning off group write access and world write access, or by turning on the sticky bit).
Note that this function is only effective on filesystems that are fully compatible with UNIX permissions, and it may not behave normally for filesystems with other permission mechanisms, such as AFS.
Note that this function is effective only on file systems that are fully compatible with UNIX permissions, and it may not behave normally for file systems with other permission mechanisms, such as AFS (Andrew File System).
| Code Block | ||||
|---|---|---|---|---|
| 
 | ||||
| #include <stdlib. | ||||
| Code Block | ||||
| 
 | ||||
| #include <stdlib.h> #include <limits.h> #include <string.h> #include <libgen.h> #include <unistd.h> #include <sys/stat.h> #include <sys/types.h> enum { MAX_SYMLINKS = 5 }; /* Returns nonzero if directory is secure, zero otherwise */ int secure_dir(const char *fullpath) { static unsigned int num_symlinks = 0; char *path_copy = NULL; char **dirs = NULL; int num_of_dirs = 1; int secure = 1; int i, r; struct stat buf; uid_t my_uid = geteuid(); size_t linksize; char* link; if (!fullpath || fullpath[0] != '/') { /* Handle error */ } if (num_symlinks > MAX_SYMLINKS) { //* Could be a symlink loop */ /* Handle error */ } if (!(path_copy = strdup(fullpath))) { /* Handle error */ } //* Figure out how far it is to the root */ for (; ((char* path_parent = path_copy; for (; ((strcmp(path_copyparent, "/") != 0) && (strcmp(path_copyparent, "//") != 0) && (strcmp(path_parent, ".") != 0)); path_copyparent = dirname(path_copyparent)) { num_of_dirs++; } //* nowNow num_of_dirs indicates # of dirs we must check */ free(path_copy); path_copy = NULL; if (!(dirs = (char **)malloc(num_of_dirs * sizeof(char *)))) { /* Handle error */ } if (!(dirs[num_of_dirs - 1] = strdup(fullpath))) { /* Handle error */ } if (!(path_copy = strdup(fullpath))) { /* Handle error */ } //* Now fill the dirs array */ path_parent = path_copy; for (i = num_of_dirs - 2; i >= 0; i--) { path_copyparent = dirname(path_copyparent); if (!(dirs[i] = strdup(path_copyparent))) { /* Handle error */ } } free(path_copy); path_copy = NULL; //* * Traverse from the root to the fullpath, // * checking permissions along the way. */ for (i = 0; i < num_of_dirs; i++) { if (lstat(dirs[i], &buf) != 0) { /* Handle error */ } if (S_ISLNK(buf.st_mode)) { //* symlinkSymlink, test linked-to file */ linksize = buf.st_size + 1; if (!(link = (char *)malloc(linksize))) { /* Handle error */ } r = readlink(dirs[i], link, linksize); if (r == -1) { /* Handle error */ } else if (r >= linksize) { /* Handle truncation error */ } link[r] = '\0'; num_symlinks++; r = secure_dir(link); num_symlinks--; if (!r) { secure = 0; free(link); link = NULL; break; } free(link); link = NULL; continue; } if (!S_ISDIR(buf.st_mode)) { //* notNot a directory */ secure = 0; break; } if ((buf.st_uid != my_uid) && (buf.st_uid != 0)) { //* Directory is owned by someone besides user or root */ secure = 0; break; } if (buf.st_mode & (S_IWGRP | S_IWOTH)) { //* dir is writable by others */ secure = 0; break; } } for (i = 0; i < num_of_dirs; i++) { free(dirs[i]); dirs[i] = NULL; } free(dirs); dirs = NULL; return secure; } | 
This compliant solution uses this the secure_dir() function to ensure that an attacker may not tamper with the file to be opened and subsequently removed. Note that once the path name of a directory has been checked using secure_dir(), all further file operations on that directory must be performed using the same path.
| Code Block | ||||
|---|---|---|---|---|
| 
 | ||||
| char *dir_name; const char *file_name = "passwd"; /* fileFile name within the secure directory */ FILE *fp; /* initializeInitialize dir_name */ if (!secure_dir(dir_name)) { /* Handle error */ } if (chdir(dir_name) == -1) { /* Handle error */ } fp = fopen(file_name, "w"); if (fp == NULL) { /* Handle error */ } /* ... Process file ... */ if (fclose(fp) != 0) { /* Handle error */ } if (remove(file_name) != 0) { /* Handle error */ } | 
...
Failing to perform file I/O operations in a secure directory that cannot otherwise be securely performed can result in a broad range of file system vulnerabilities.
| Recommendation | Severity | Likelihood | Detectable | 
|---|
| Repairable | Priority | Level | 
|---|---|---|
| FIO15-C | 
| Medium | Probable | 
| No | 
| No | P4 | L3 | 
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
...
...
...
...
...
...
| -379, | 
...
| Creation of | 
...
| temporary file in | 
...
| directory with insecure permissions CWE-552, Files or directories accessible to external parties | 
Bibliography
| [IEEE Std 1003.1:2013] | XSH, System Interfaces, dirnameXSH, System Interfaces, realpath | 
| [Viega 2003] | Section 2.4, "Determining Whether a Directory Is Secure" | 
...
Bibliography
| Wiki Markup | 
|---|
| \[[Open Group 2004|AA. Bibliography#Open Group 04]\] [{{dirname()}}|http://www.opengroup.org/onlinepubs/009695399/functions/dirname.html], [{{realpath()}}|http://www.opengroup.org/onlinepubs/009695399/functions/realpath.html]
\[[Viega 2003|AA. Bibliography#Viega 03]\] Section 2.4, "Determining Whether a Directory Is Secure" | 
09. Input Output (FIO) FIO16-C. Limit access to files by creating a jail