...
The fopen() function does not allow the programmer to explicitly specify file access permissions. In this non-compliant code example, if the call to fopen() creates a new file, the access permissions are implementation-defined.
| Code Block |
|---|
|
char *file_name;
FILE *fp;
/* initialize *fptrfile_name */
fp = fopen(file_name, "w");
if (!fptrfp){
/* Handlehandle Error */
}
|
Implementation Details
...
The 'u' character can be thought of as standing for "umask," meaning that these are the same permissions that the file would have been created with had it been created by fopen().
| Code Block |
|---|
|
char *file_name;
FILE *fptr;fp;
/* initialize file_name */
errno_t res = fopen_s(&fptrfp, file_name, "w");
if (res != 0) {
/* Handlehandle Error */
}
|
Non-Compliant Code Example: open() (POSIX)
Using the POSIX function open() to create a file, but failing to provide access permissions for that file, may cause the file to be created with overly permissive access permissions. This omission has been known to lead to vulnerabilities (for instance, CVE-2006-1174).
| Code Block |
|---|
|
char *file_name;
int fd;
/* access permissions are missinginitialize file_name */
int
fd = open(file_name, O_CREAT | O_WRONLY);
/* access permissions were missing */
if (fd == -1){
/* Handlehandle Error */
}
|
Compliant Solution: open() (POSIX)
Access permissions for the newly created file should be specified in the third argument to open(). Again, the permissions are modified by the value of umask().
| Code Block |
|---|
|
char *file_name;
int file_access_permissions;
/* initialize file_name and file_access_permissions */
int fd = open(
file_name,
O_CREAT | O_WRONLY,
file_access_permissions
);
if (fd == -1){
/* Handlehandle Error */
}
|
| Wiki Markup |
|---|
John Viega and Matt Messier also provide the following advice \[[Viega 03|AA. C References#Viega 03]\]: |
...
