SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 124

changes.mady.by.user Shannon Haas

Saved on

compared with

New Version 125

changes.mady.by.user Shannon Haas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

Code Block
bgColor#FFCCCC
langc
char *file_name;
FILE *fp;

/* initialize file_name */

fp = fopen(file_name, "w");
if (!fp){
  /* Handle error */
}

Implementation Details

Wiki MarkupOn POSIX-compliant systems, the permissions may be restricted by the value of the POSIX {{umask()}} function \[ [Open Group 2004|AA. Bibliography#Open Group 04]\].

Wiki MarkupThe operating system modifies the access permissions by computing the intersection of the inverse of the umask and the permissions requested by the process \ [[Viega 2003|AA. Bibliography#Viega 03]\]. For example, if the variable {{requested_permissions}} contained the permissions passed to the operating system to create a new file, the variable {{actual_permissions}} would be the actual permissions that the operating system would use to create the file:

Code Block
requested_permissions = 0666;
actual_permissions = requested_permissions & ~umask();

Wiki MarkupFor OpenBSD and Linux operating systems, any file created will have mode {{S_IRUSR\|S_IWUSR\|S_IRGRP\|S_IWGRP\|S_IROTH\|S_IWOTH}} (0666), as modified by the process's umask value. (See [{{fopen(3)}}|http://www.openbsd.org/cgi-bin/man.cgi?query=open&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html] in the OpenBSD Manual Pages \ [[OpenBSD|AA. Bibliography#OpenBSD]\].)

Compliant Solution (fopen_s() ISO/IEC TR 24731-1)

Wiki MarkupThe ISO/IEC TR 24731-1 function {{fopen_s()}} can be used to create a file with restricted permissions \[ [ISO/IEC TR 24731-1:2007|AA. Bibliography#ISO/IEC TR 24731-1-2007]\]:

If the file is being created, and the first character of the mode string is not 'u', to the extent that the underlying system supports it, the file shall have a file permission that prevents other users on the system from accessing the file. If the file is being created and the first character of the mode string is 'u', then by the time the file has been closed, it shall have the system default file access permissions.

...

Code Block
bgColor#ccccff
langc
char *file_name;
int file_access_permissions;

/* initialize file_name and file_access_permissions */

int fd = open(
  file_name,
  O_CREAT | O_WRONLY,
  file_access_permissions
);
if (fd == -1){
  /* Handle error */
}

Wiki MarkupJohn Viega and Matt Messier also provide the following advice \ [[Viega 2003|AA. Bibliography#Viega 03]\]:

Do not rely on setting the umask to a "secure" value once at the beginning of the program and then calling all file or directory creation functions with overly permissive file modes. Explicitly set the mode of the file at the point of creation. There are two reasons to do this. First, it makes the code clear; your intent concerning permissions is obvious. Second, if an attacker managed to somehow reset the umask between your adjustment of the umask and any of your file creation calls, you could potentially create sensitive files with wide-open permissions.

...

MITRE CWE: CWE-732, "Incorrect Permission Assignment for Critical Resource"

Bibliography

...

\[[CVE|AA. Bibliography#CVE]\] \[[OpenBSD|AA. Bibliography#OpenBSD]\] \[[Open Group 2004|AA. Bibliography#Open Group 04]\] "The {{open}} function," and "The {{umask}} function" \[[Viega 2003|AA. Bibliography#Viega 03]\] Section 2.7, "Restricting Access Permissions for New Files on UNIX" \[[Dowd 2006|AA. Bibliography#Dowd 06]\] Chapter 9, "UNIX 1: Privileges and ]
[OpenBSD]
[Open Group 2004] "The open function," and "The umask function"
[Viega 2003] Section 2.7, "Restricting Access Permissions for New Files on UNIX"
[Dowd 2006] Chapter 9, "UNIX 1: Privileges and Files"

...

      09. Input Output (FIO)      FIO07-C. Prefer fseek() to rewind()