...
When setting access permissions, it is important to make sure that an attacker is not able to alter them. (See recommendation FIO15-C. Ensure that file operations are performed in a secure directory.)
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
char *file_name;
FILE *fp;
/* initialize file_name */
fp = fopen(file_name, "w");
if (!fp){
/* Handle error */
}
|
...
The operating system modifies the access permissions by computing the intersection of the inverse of the umask and the permissions requested by the process [Viega 2003]. For example, if the variable requested_permissions contained the permissions passed to the operating system to create a new file, the variable actual_permissions would be the actual permissions that the operating system would use to create the file:
| Code Block |
|---|
requested_permissions = 0666;
actual_permissions = requested_permissions & ~umask();
|
For OpenBSD and Linux operating systems, any file created will have mode S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH (0666), as modified by the process's umask value. (See fopen(3) in the OpenBSD Manual Pages [OpenBSD].)
Compliant Solution (fopen_s(), ISO/IEC TR 24731-1)
The ISO/IEC TR 24731-1 function fopen_s() can be used to create a file with restricted permissions [ISO/IEC TR 24731-1:2007]:
If the file is being created, and the first character of the mode string is not 'u', to the extent that the underlying system supports it, the file shall have a file permission that prevents other users on the system from accessing the file. If the file is being created and the first character of the mode string is 'u', then by the time the file has been closed, it shall have the system default file access permissions.
The u character can be thought of as standing for "umask," meaning that these are the same permissions that the file would have been created with had it been created by fopen(). In this compliant solution, the u mode character is omitted so that the file is opened with restricted privileges (regardless of the umask).
| Code Block | ||||
|---|---|---|---|---|
| ||||
char *file_name;
FILE *fp;
/* initialize file_name */
errno_t res = fopen_s(&fp, file_name, "w");
if (res != 0) {
/* Handle error */
}
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
char *file_name;
int fd;
/* initialize file_name */
fd = open(file_name, O_CREAT | O_WRONLY);
/* access permissions were missing */
if (fd == -1){
/* Handle error */
}
|
This example also violates rule EXP37-C. Call functions with the arguments intended by the API.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
char *file_name;
int file_access_permissions;
/* initialize file_name and file_access_permissions */
int fd = open(
file_name,
O_CREAT | O_WRONLY,
file_access_permissions
);
if (fd == -1){
/* Handle error */
}
|
...
CERT C++ Secure Coding Standard: FIO06-CPP. Create files with appropriate access permissions
The CERT Oracle Secure Coding Standard for Java: FIO01-J. Create files with appropriate access permissions
ISO/IEC 9899:1999 Section 2011 Section 7.1921.5.3, "The fopen function"
ISO/IEC TR 24772 "XZN Missing or Inconsistent Access Controlinconsistent access control"
ISO/IEC TR 24731-1:2007 Section 6.5.2.1, "The fopen_s function"
The CERT Oracle Secure Coding Standard for Java: FIO01-J. Create files with appropriate access permissions
MITRE CWE: CWE-279, "Insecure Executionexecution-assigned Permissionspermissions"
MITRE CWE: CWE-276, "Insecure Default Permissionsdefault permissions"
MITRE CWE: CWE-732, "Incorrect Permission Assignment for Critical Resourcepermission assignment for critical resource"
Bibliography
[CVE]
[OpenBSD]
[Open Group 2004] "The open function," and "The umask function"
[Viega 2003] Section 2.7, "Restricting Access Permissions for New Files access permissions for new files on UNIX"
[Dowd 2006] Chapter 9, "UNIX 1: Privileges and Files"
...