Many file related security vulnerabilities result from a program accessing a file different from the one intended. In the C programming language, character-based file names are bound to underlying file objects in name only. File names provide no information regarding the nature of the file object itself. Furthermore, the binding of a file name to a file object is reasserted every time the file name is used in an operation. However, once a file has been opened, it is no longer susceptible to these types of attacks so long as it is accessed via a file descriptor. Thus, it is recommended that files are accessed through file handles, versus filenames.
Non-Compliant Example 1
In this example, the function chmod(...) is called to set the permissions of a file. However, if the file file_name has been changed from the time it was opened, the permissions may be changed on a different file then intended.
FILE * f_ptr = fopen(file_name,"w");
f_ptr = fopen(file_name,"w");
if (!f_ptr) {
/* Handle fopen() Error */
}
...
if (chmod(file_name, new_mode) == -1) {
/* Handle chmod() Error */
}
/* Process file */
Compliant Solution 1
To correct the error, use functions that operate on file descriptors. This means using open() in stead of fopen() and fchmod(...) instead of chmod(...).
fd = open(file_name, O_WRONLY | O_CREAT, 0600);
if (fd == -1) {
/* Handle open() error */
}
...
if (fchmod(fd, new_mode) == -1) {
/* Handle chmod() Error */
}
/* Process file */
Priority: ?? Level: ??
References
- Seacord 05 Chapter 7, File I/O
- ISO/IEC 9899-1999 Sections 7.19.3, Files
- ISO/IEC 9899-1999 Sections 7.19.4, Operations on Files
- Apple Secure Coding Guide Avoiding Race Conditions and Insecure File Operations