Creating a file with weak access permissions may allow unintended access to that file. Although access permissions are heavily dependent on the operating system, many file creation functions provide mechanisms to set (or at least influence) access permissions. When these functions are used to create files, appropriate access permissions should be specified to prevent unintended access.
Non-Compliant Code Example: fopen()
The fopen()
function does not allow the programmer to explicitly specify file access permissions. In the example below, if the call to fopen()
creates a new file, the access permissions for that file will be implementation defined.
Code Block | ||
---|---|---|
| ||
/* ... */ FILE * fptr = fopen(file_name, "w"); if (!fptr){ /* Handle Error */ } /* ... */ |
Implementation Details
Wiki Markup |
---|
On POSIX compliant systems, the permissions may be restricted by the value of the POSIX {{umask()}} function \[[Open Group 04|AA. C References#Open Group 04]\]. |
Wiki Markup |
---|
The operating system modifies the access permissions by computing the intersection of the inverse of the umask and the permissions requested by the process \[[Viega 03|AA. C References#Viega 03]\]. For example, if the variable {{requested_permissions}} contained the permissions passed to the operating system to create a new file, the variable {{actual_permissions}} would be the actual permissions that the operating system would use to create the file: |
Code Block |
---|
requested_permissions = 0666; actual_permissions = requested_permissions & ~umask(); |
For Linux operating systems, any created files will have mode S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH
(0666), as modified by the process' umask value (see fopen(3)).
OpenBSD has the same rule as Linux (see fopen(3)).
Compliant Solution: fopen_s()
(ISO/IEC TR 24731-1)
Wiki Markup |
---|
The {{fopen_s()}} function defined in ISO/IEC TR 24731-1 \[[ISO/IEC TR 24731-2006|AA. C References#ISO/IEC TR 24731-2006]\] can be used to create a file with restriced permissions. Specifically, ISO/IEC TR 24731-1 states: |
If the file is being created, and the first character of the mode string is not 'u', to the extent that the underlying system supports it, the file shall have a file permission that prevents other users on the system from accessing the file. If the file is being created and the first character of the mode string is 'u', then by the time the file has been closed, it shall have the system default file access permissions.
The 'u' character can be thought of as standing for "umask," meaning that these are the same permissions that the file would have been created with by fopen()
.
Code Block | ||
---|---|---|
| ||
/* ... */ FILE *fptr; errno_t res = fopen_s(&fptr, file_name, "w"); if (res != 0) { /* Handle Error */ } /* ... */ |
Non-Compliant Code Example: open()
(POSIX)
Using the POSIX function open()
to create a file but failing to provide access permissions for that file may cause the file to be created with unintended access permissions. This omission has been known to lead to vulnerabilities (for instance, CVE-2006-1174).
Code Block | ||
---|---|---|
| ||
/* ... */ int fd = open(file_name, O_CREAT | O_WRONLY); /* access permissions are missing */ if (fd == -1){ /* Handle Error */ } /* ... */ |
Compliant Solution: open()
(POSIX)
Access permissions for the newly created file should be specified in the third parameter to open()
. Again, the permissions may be influenced by the value of umask()
.
Code Block | ||
---|---|---|
| ||
/* ... */ int fd = open(file_name, O_CREAT | O_WRONLY, file_access_permissions); if (fd == -1){ /* Handle Error */ } /* ... */ |
Wiki Markup |
---|
John Viega and Matt Messier also provide the following advice \[[Viega 03|AA. C References#Viega 03]\]: |
Do not rely on setting the umask to a "secure" value once at the beginning of the program and then calling all file or directory creation functions with overly permissive file modes. Explicitly set the mode of the file at the point of creation. There are two reasons to do this. First, it makes the code clear; your intent concerning permissions is obvious. Second, if an attacker managed to somehow reset the umask between your adjustment of the umask and any of your file creation calls, you could potentially create sensitive files with wide-open permissions.
Risk Assessment
Creating files with weak access permissions may allow unintended access to those files.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
FIO06-A | 2 (medium) | 1 (unlikely) | 2 (medium) | P4 | L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
Wiki Markup |
---|
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.19.5.3, "The fopen function" \[[Open Group 04|AA. C References#Open Group 04]\] "The open function," "The umask function" \[[ISO/IEC TR 24731-2006|AA. C References#SO/IEC TR 24731-2006]\] Section 6.5.2.1, "The fopen_s function" \[[Viega 03|AA. C References#Viega 03]\] Section 2.7, "Restricting Access Permissions for New Files on Unix" \[[Dowd 06|AA. C References#Dowd 06]\] Chapter 9, "UNIX 1: Privileges and Files" |