SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 115

changes.mady.by.user Justin Pincar

Saved on

compared with

New Version 116

changes.mady.by.user Gina DeCola

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Creating a file with overly permissive insufficiently restrictive access permissions may allow an unprivileged user to access that file. Although access permissions are heavily dependent on the file system, many file-creation functions provide mechanisms to set (or at least influence) access permissions. When these functions are used to create files, appropriate access permissions should be specified to prevent unintended access.

When setting access permissions, it is important to make sure that an attacker is not able to alter them (see FIO15-C. Ensure that file operations are performed in a secure directory).

Noncompliant Code Example

...

(fopen())

The fopen() function does not allow the programmer to explicitly specify file access permissions. In this noncompliant code example, if the call to fopen() creates a new file, the access permissions are implementation-defined.

...

Wiki Markup
For OpenBSD and Linux operating systems, any file created files will have mode {{S_IRUSR\|S_IWUSR\|S_IRGRP\|S_IWGRP\|S_IROTH\|S_IWOTH}} (0666), as modified by the process's umask value. (See [{{fopen(3)}}|http://www.openbsd.org/cgi-bin/man.cgi?query=open&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html] in the OpenBSD Manual Pages \[[OpenBSD|AA. C References#OpenBSD]\].)

Compliant Solution

...

(fopen_s()

...

ISO/IEC TR 24731-1)

Wiki Markup
The ISO/IEC TR 24731-1 function {{fopen_s()}} can be used to create a file with restricted permissions \[[ISO/IEC TR 24731-1:2007|AA. C References#ISO/IEC TR 24731-1-2007]\]

...

Code Block
bgColor#ccccff
char *file_name;
FILE *fp;

/* initialize file_name */

errno_t res = fopen_s(&fp, file_name, "w");
if (res != 0) {
  /* Handle error */
}

Noncompliant Code Example

...

(open()

...

, POSIX)

Using the POSIX open() function to create a file, but failing to provide access permissions for that file, may cause the file to be created with overly permissive access permissions. This omission has been known to lead to vulnerabilities (, for instanceexample, CVE-2006-1174).

Code Block
bgColor#FFCCCC
char *file_name;
int fd;

/* initialize file_name */

fd = open(file_name, O_CREAT | O_WRONLY);
/* access permissions were missing */

if (fd == -1){
  /* Handle error */
}

This example also violates EXP37-C. Call functions with the arguments intended by the API.

Compliant Solution

...

(open()

...

, POSIX)

Access permissions for the newly created file should be specified in the third argument to open(). Again, the permissions are modified by the value of umask().

...