SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 94

changes.mady.by.user Justin Pincar

Saved on

compared with

New Version Current

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Creating a file with weak insufficiently restrictive access permissions may allow unintended an unprivileged user to access to that file. Although access permissions are heavily dependent on the file system, many file-creation functions provide mechanisms to set (or at least influence) access permissions. When these functions are used to create files, appropriate access permissions should be specified to prevent unintended access.

...

When setting access permissions, it is important to make sure that an attacker cannot alter them. (See FIO15-C. Ensure that file operations are performed in a secure directory.)

Noncompliant Code Example (fopen())

The fopen() function does not allow the programmer to explicitly specify file access permissions. In the this noncompliant code example below, if the call to fopen() creates a new file, the access permissions are implementation-defined.:

Code Block
bgColor#FFCCCC
langc
char *file_name;
FILE *fp;

/* ...Initialize file_name */
FILE * fptr
fp = fopen(file_name, "w");
if (!fptrfp){
  /* Handle Errorerror */
}
/* ... */

Implementation Details

...

On POSIX-compliant systems, the permissions may be restricted by the value of the POSIX {{umask()}} function \[[Open Group 04|AA. C References#Open Group 04]\].

Wiki Markup
The operating system modifies the access permissions by computing the intersection of the inverse of the umask and the permissions requested by the process \[[Viega 03|AA. C References#Viega 03]\]. For example, if the variable {{requested_permissions}} contained the permissions passed to the operating system to create a new file, the variable {{actual_permissions}} would be the actual permissions that the operating system would use to create the file:

[IEEE Std 1003.1:2013].

The operating system modifies the access permissions by computing the intersection of the inverse of the umask and the permissions requested by the process [Viega 2003]. For example, if the variable requested_permissions contained the permissions passed to the operating system to create a new file, the variable actual_permissions would be the actual permissions that the operating system would use to create the file:

Code Block
Code Block

requested_permissions = 0666;
actual_permissions = requested_permissions & ~umask();

For OpenBSD and Linux operating systems, any file created files will have mode S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH (0666), as modified by the process's umask value. (see See fopen(3)). in the OpenBSD Manual Pages [OpenBSD].)

Compliant Solution

...

(fopen_s()

...

, C11 Annex K)

The C11 Annex K function Wiki MarkupThe {{fopen_s()}} function defined in ISO/IEC TR 24731-1 \[[ISO/IEC TR 24731-1-2007|AA. C References#ISO/IEC TR 24731-1-2007]\] can be used to create a file with restricted permissions. Specifically, permissions [ISO/IEC TR 24731-1 states9899:2011]:

If the file is being created, and the first character of the mode string is not 'u', to the extent that the underlying system supports it, the file shall have a file permission that prevents other users on the system from accessing the file. If the file is being created and the first character of the mode string is 'u', then by the time the file has been closed, it shall have the system default file access permissions.

The 'u' character can be thought of as standing for "umask," meaning that these are the same permissions that the file would have been created with had it been created by fopen(). In this compliant solution, the u mode character is omitted so that the file is opened with restricted privileges (regardless of the umask):

Code Block
bgColor#ccccff
langc
char *file_name;
FILE *fp;

/* ... Initialize file_name */
FILE *fptr;
errno_t res = fopen_s(&fptrfp, file_name, "wwx");
if (res != 0) {
  /* Handle Errorerror */
}
/* ... */

...

On Windows, fopen_s() will create the file with security permissions based on the user executing the application. For more controlled permission schemes, consider using the CreateFile() function and specifying the SECURITY_ATTRIBUTES parameter.
Noncompliant Code Example (open(), POSIX)
Using the POSIX function open() function to create a file , but failing to provide access permissions for that file , may cause the file to be created with unintended overly permissive access permissions. This omission has been known to lead to vulnerabilities (for instance—for example, CVE-2006-1174).
 Code Block
bgColor#FFCCCC
langc
char *file_name;
int fd;

/* ... Initialize file_name */

int fd = open(file_name, O_CREAT | O_WRONLY); 
/* accessAccess permissions arewere missing */

if (fd == -1){
  /* Handle Errorerror */
}
/* ... */

This example also violates EXP37-C. Call functions with the correct number and type of arguments.
Compliant Solution 
...
(open()
...
, POSIX)
Access permissions for the newly created file should be specified in the third parameter argument to open(). Again, the permissions will be are modified by the value of umask().
 Code Block
bgColor#ccccff
langc
char *file_name;
int file_access_permissions;

/* ...Initialize file_name and file_access_permissions */

int fd = open(
  file_name,
  O_CREAT | O_WRONLY,
  file_access_permissions
);
if (fd == -1){
  /* Handle Errorerror */
}
/* ... */

 Wiki MarkupJohn   Viega   and   Matt   Messier   also   provide   the   following   advice  \ [[Viega 03|AA. C References#Viega 03]\]Viega 2003]:
Do not rely on setting the umask to a "secure" value once at the beginning of the program and then calling all file or directory creation functions with overly permissive file modes. Explicitly set the mode of the file at the point of creation. There are two reasons to do this. First, it makes the code clear; your intent concerning permissions is obvious. Second, if an attacker managed to somehow reset the umask between your adjustment of the umask and any of your file creation calls, you could potentially create sensitive files with wide-open permissions.
Risk Assessment
Creating files with weak access permissions may allow unintended access to those files.
Recommendation
Severity
Likelihood
Remediation Cost
Priority
Level
FIO06-
A 
C
 medium 
Medium
 unlikely 
Probable
 medium 
High
P4
L3
Automated Detection
Tool
Version
Checker
Description
CodeSonar
 Include Page
CodeSonar_V
CodeSonar_V
(customization)
CodeSonar's custom checking infrastructure allows users to implement checks such as the following.
  • A check for all uses of fopen().
  • A check for calls to open() with only two arguments.
  • A check for calls to open() where the third argument does not satisfy some specified requirement.
Helix QAC
 Include Page
Helix QAC_V
Helix QAC_V
C5013
LDRA tool suite
 Include Page
LDRA_V
LDRA_V
44 SEnhanced Enforcement
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
...
Related Guidelines
SEI CERT C++ Coding StandardVOID FIO06-CPP. Create files with appropriate access permissions
CERT Oracle Secure Coding Standard for JavaFIO01-J. Create files with appropriate access permissions
ISO/IEC TR 24772:2013Missing or Inconsistent Access Control [XZN]
MITRE CWECWE-276, Insecure default permissions
CWE-279, Insecure execution-assigned permissions
CWE-732, Incorrect permission assignment for critical resource
Bibliography
[CVE]
[Dowd 2006]Chapter 9, "UNIX 1: Privileges and Files"
[IEEE Std 1003.1:2013]XSH, System Interfaces, open
XSH, System Interfaces, umask
[ISO/IEC 9899:2011]Subclause K.3.5.2.1, 
...
 "
...
The fopen_s
...
 Function"
...
[OpenBSD]
[Viega 
...
2003]Section 2.7, 
...
 "Restricting 
...
 Access 
...
 Permissions 
...
 for 
...
 New 
...
 Files 
...
 on 
...
 UNIX"

...
Image Added Image Added Image Added 1: Privileges and Files"FIO05-A. Identify files using multiple file attributes      09. Input Output (FIO)       FIO07-A. Prefer fseek() to rewind()