Creating a file with insufficiently restrictive access permissions may allow an unprivileged user to access that file. Although access permissions are heavily dependent on the file system, many file-creation functions provide mechanisms to set (or at least influence) access permissions. When these functions are used to create files, appropriate access permissions should be specified to prevent unintended access.
When setting access permissions, it is important to make sure that an attacker cannot alter them. (See FIO15-C. Ensure that file operations are performed in a secure directory.)
Noncompliant Code Example (
fopen() function does not allow the programmer to explicitly specify file access permissions. In this noncompliant code example, if the call to
fopen() creates a new file, the access permissions are implementation-defined:
On POSIX-compliant systems, the permissions may be restricted by the value of the POSIX
umask() function [IEEE Std 1003.1:2013].
The operating system modifies the access permissions by computing the intersection of the inverse of the umask and the permissions requested by the process [Viega 2003]. For example, if the variable
requested_permissions contained the permissions passed to the operating system to create a new file, the variable
actual_permissions would be the actual permissions that the operating system would use to create the file:
For OpenBSD and Linux operating systems, any file created will have mode
S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH (0666), as modified by the process's umask value. (See
fopen(3) in the OpenBSD Manual Pages [OpenBSD].)
Compliant Solution (
fopen_s(), C11 Annex K)
The C11 Annex K function
fopen_s() can be used to create a file with restricted permissions [ISO/IEC 9899:2011]:
If the file is being created, and the first character of the mode string is not 'u', to the extent that the underlying system supports it, the file shall have a file permission that prevents other users on the system from accessing the file. If the file is being created and the first character of the mode string is 'u', then by the time the file has been closed, it shall have the system default file access permissions.
The u character can be thought of as standing for "umask," meaning that these are the same permissions that the file would have been created with had it been created by
fopen(). In this compliant solution, the
u mode character is omitted so that the file is opened with restricted privileges (regardless of the umask):
fopen_s() will create the file with security permissions based on the user executing the application. For more controlled permission schemes, consider using the
CreateFile() function and specifying the
Noncompliant Code Example (
Using the POSIX
open() function to create a file but failing to provide access permissions for that file may cause the file to be created with overly permissive access permissions. This omission has been known to lead to vulnerabilities—for example, CVE-2006-1174.
This example also violates EXP37-C. Call functions with the correct number and type of arguments.
Compliant Solution (
Access permissions for the newly created file should be specified in the third argument to
open(). Again, the permissions are modified by the value of
John Viega and Matt Messier also provide the following advice [Viega 2003]:
Do not rely on setting the umask to a "secure" value once at the beginning of the program and then calling all file or directory creation functions with overly permissive file modes. Explicitly set the mode of the file at the point of creation. There are two reasons to do this. First, it makes the code clear; your intent concerning permissions is obvious. Second, if an attacker managed to somehow reset the umask between your adjustment of the umask and any of your file creation calls, you could potentially create sensitive files with wide-open permissions.
Creating files with weak access permissions may allow unintended access to those files.
CodeSonar's custom checking infrastructure allows users to implement checks such as the following.
|LDRA tool suite|
|44 S||Enhanced Enforcement|
|Polyspace Bug Finder|
Argument gives read/write/search permissions to external users
|SEI CERT C++ Coding Standard||VOID FIO06-CPP. Create files with appropriate access permissions|
|CERT Oracle Secure Coding Standard for Java||FIO01-J. Create files with appropriate access permissions|
|ISO/IEC TR 24772:2013||Missing or Inconsistent Access Control [XZN]|
|MITRE CWE||CWE-276, Insecure default permissions|
CWE-279, Insecure execution-assigned permissions
CWE-732, Incorrect permission assignment for critical resource
|[Dowd 2006]||Chapter 9, "UNIX 1: Privileges and Files"|
|[IEEE Std 1003.1:2013]||XSH, System Interfaces, |
XSH, System Interfaces,
|[ISO/IEC 9899:2011]||Subclause K.22.214.171.124, "The |
|[Viega 2003]||Section 2.7, "Restricting Access Permissions for New Files on UNIX"|