...
| Code Block | ||||
|---|---|---|---|---|
| ||||
enum { array_max = 100 };
/*
* Program running with elevated privileges where argv[1]
* and argv[2] are supplied by the user
*/
char x[array_max];
FILE *fp = fopen(argv[1], "w");
strncpy(x, argv[2], array_max);
x[array_max - 1] = '\0';
/*
* Write operation to an unintended file like /etc/passwd
* gets executed
*/
if (fwrite(x, sizeof(x[0]), sizeof(x)/sizeof(x[0]), fp) <
sizeof(x)/sizeof(x[0])) {
/* Handle Error */
}
|
Wiki Markup argv\[1\]}} and, consequently, access any resource on the file system.
This noncompliant code example also violates recommendations FIO02-C. Canonicalize path names originating from untrusted sources and FIO03-C. Do not make assumptions about fopen() and file creation.
Compliant Solution (UNIX)
...
Some UNIX-based systems (such as OpenBSD) can restrict file system access by creating a {{chroot()}} jail. The {{chroot}} jail requires care to implement securely \ [[Wheeler 2003|AA. Bibliography#Wheeler 03]\]. This is achieved by passing a predefined directory name as an argument to {{chroot()}}. The call to {{chroot()}} requires superuser privileges. However, this call does not _leave_ the process inside the jail directory as one would expect. A subsequent {{chdir()}} is required to restrict access to the jail boundaries.
Another essential step is to drop superuser privileges permanently after these calls. (See recommendation POS02-C. Follow the principle of least privilege.) The chroot() system call is not secure against the superuser changing the current root directory (if privileges are not dropped). Successful jail creation prevents unintentional file system access even if an attacker gives malicious input, such as through command-line arguments.
...
CERT C++ Secure Coding Standard: FIO16-CPP. Limit access to files by creating a jail
Bibliography
Wiki Markup
...