Many file related security vulnerabilities result from a program accessing a file object different from the one intended. In ISO/IEC 9899-1999 C character-based file names are bound to underlying file objects in name only. File names provide no information regarding the nature of the file object itself. Furthermore, the binding of a file name to a file object is reasserted every time the file name is used in an operation. File descriptors and FILE pointers are bound to underlying file objects by the operating system.
Accessing files via file descriptors or FILE pointers rather than file names provides a greater level of certainty with regard to the object that is actually acted on. It is recommended that files be accessed through file descriptors or FILE pointers where possible.
Non-Compliant Code Example
In this example, the function chmod() is called to set the permissions of a file. However, it is not clear whether the file object referred to by file_name refers to the same object in the call to fopen() and in the call to chmod().
...
FILE * f_ptr = fopen(file_name,"w");
f_ptr = fopen(file_name,"w");
if (!f_ptr) {
/* Handle fopen() Error */
}
...
if (chmod(file_name, new_mode) == -1) {
/* Handle chmod() Error */
}
/* Process file */
Compliant Solution
This compliant solution uses variants of the functions used in the non-compliant code example that operate on file descriptors or file pointers rather than file names. This guarantees that the file opened is the same file that is operated on.
...
fd = open(file_name, O_WRONLY | O_CREAT | O_EXCL, file_mode);
if (fd == -1) {
/* Handle open() error */
}
...
if (fchmod(fd, new_mode) == -1) {
/* Handle fchmod() Error */
}
/* Process file */
...
The fchmod() function is defined in IEEE Std 1003.1, 2004 [[Open Group 04]] and can only be used on POSIX-compliant systems.
Risk Assessment
Many file-related vulnerabilities, for instance Time of Check Time of Use race conditions, are exploited to cause a program to access an unintended file. Using FILE pointers or file descriptors to identify files instead of file names reduces the chance of accessing an unintended file. Remediation costs can be high, because there is no portable secure solution.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
FIO01-A |
3 (high) |
2 (likely) |
1 (high) |
P6 |
L2 |
References
- Seacord 05 Chapter 7, File I/O
- ISO/IEC 9899-1999 Section 7.19.3, Files
- ISO/IEC 9899-1999 Section 7.19.4, Operations on Files
- Apple Secure Coding Guide Avoiding Race Conditions and Insecure File Operations
- Open Group 04 The open function
- Drepper 06 Section 2.2.1 Identification When Opening