SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 112

changes.mady.by.user Steve Christey

Saved on

compared with

New Version 113

changes.mady.by.user Gina DeCola

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#FFCCCC
char *file_name;
FILE *fp;

/* initialize file_name */

fp = fopen(file_name, "w");
if (!fp){
  /* handleHandle Errorerror */
}

Implementation Details

...

If the file is being created, and the first character of the mode string is not 'u', to the extent that the underlying system supports it, the file shall have a file permission that prevents other users on the system from accessing the file. If the file is being created and the first character of the mode string is 'u', then by the time the file has been closed, it shall have the system default file access permissions.

The ' u ' character can be thought of as standing for "umask," meaning that these are the same permissions that the file would have been created with had it been created by fopen(). In this compliant solution, the u mode character is omitted so that the file is opened with restricted privileges (regardless of the umask).

Code Block
bgColor#ccccff
char *file_name;
FILE *fp;

/* initialize file_name */

errno_t res = fopen_s(&fp, file_name, "w");
if (res != 0) {
  /* handleHandle Errorerror */
}

Noncompliant Code Example: open() (POSIX)

Using the POSIX function open() function to create a file, but failing to provide access permissions for that file, may cause the file to be created with overly permissive access permissions. This omission has been known to lead to vulnerabilities (for instance, CVE-2006-1174).

Code Block
bgColor#FFCCCC
char *file_name;
int fd;

/* initialize file_name */

fd = open(file_name, O_CREAT | O_WRONLY);
/* access permissions were missing */

if (fd == -1){
  /* handleHandle Errorerror */
}

This example also violates EXP37-C. Call functions with the arguments intended by the API.

...

Code Block
bgColor#ccccff
char *file_name;
int file_access_permissions;

/* initialize file_name and file_access_permissions */

int fd = open(
  file_name,
  O_CREAT | O_WRONLY,
  file_access_permissions
);
if (fd == -1){
  /* handleHandle Errorerror */
}

Wiki Markup
John Viega and Matt Messier also provide the following advice \[[Viega 03|AA. C References#Viega 03]\]:

...

Wiki Markup
\[[CVE|AA. C References#CVE]\]
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.19.5.3, "The {{fopen}} function"
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "XZN Missing or Inconsistent Access Control"
\[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 279|http://cwe.mitre.org/data/definitions/279.html], "Insecure Execution-assigned Permissions," and [CWE ID 276|http://cwe.mitre.org/data/definitions/276.html], "Insecure Default Permissions"
\[[OpenBSD|AA. C References#OpenBSD]\]
\[[Open Group 04|AA. C References#Open Group 04]\] "The {{open}} function," and "The {{umask}} function"
\[[ISO/IEC TR 24731-1:2007|AA. C References#SO/IEC TR 24731-1-2007]\] Section 6.5.2.1, "The {{fopen_s}} function"
\[[Viega 03|AA. C References#Viega 03]\] Section 2.7,  "Restricting Access Permissions for New Files on UNIX"
\[[Dowd 06|AA. C References#Dowd 06]\] Chapter 9, "UNIX 1: Privileges and Files"

...