Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to ensure correct file permissions

In order to protect an application from begin used wrongly, I'm trying to check that its configuration files have correct permissions, so that the application can trust the content of the files not being modified by someone else.

I believe the following rules are corrects:

  • the file must not be writable by others
  • the file must be owned by a trusted user/group: root or
  • the file must be owned by the effective user/group running the application (think of setuid program)

Here an example:

#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>

#include <string.h>
#include <errno.h>

static
int is_secure(const char *name)
{
    struct stat st;

    uid_t euid = geteuid();
    gid_t egid = getegid();

    if (stat(name, &st) != 0) {
        int err = errno;
        fprintf(stderr, "can't stat() '%s': %d (%s)\n", name, err, strerror(err));
        return 0;
    }

    /* writable by other: unsecure */
    if ((st.st_mode & S_IWOTH) != 0) {
        return 0;
    }

    /* not owned by group root and not owned by effective group: unsecure */
    if (st.st_gid != 0 && st.st_gid != egid) {
        return 0;
    }

    /* not owned by user root and not owned by effective user: unsecure */
    if (st.st_uid != 0 && st.st_uid != euid) {
        return 0;
    }

    return 1;
}

int
main(int argc, char *argv[])
{
    int i;

    for(i = 1; i < argc; i++) {
        printf("'%s' : %s\n", argv[i], is_secure(argv[i]) ? "sure" : "unsure");
    }

    return 0;
}

Since I'm not sure about my assumptions, can someone check if I leave some loophole in the file permissions check.

Update

sudo has a function for that: sudo_secure_path, it only check for one uid/gid, but it take care of checking for group write bit.

Regards.

like image 820
Yann Droneaud Avatar asked May 23 '13 16:05

Yann Droneaud


1 Answers

Your rules and your code look correct to me, although you should be aware of the following security risks that could still affect your implementation.

  1. An attacker with physical access to the machine or NFS/SMB access could mount the file system with a box that has root privileges, and then modify your file.
  2. A vulnerability in another program being run as either the trusted user or root could allow that program to be exploited to modify your file.
  3. All it would take to break your security check would be a careless user or sys-admin that messes up the privilege settings of the file. I've seen this happen during backups and copies to thumb drives, etc.
  4. Also make sure the file is not executable. I can't think of an instance where this could be exploited on a config file, but the general rule with security is don't give any privileges that aren't required for the job.

As you can see these are not issues under control of your code. Therefore, you should make sure you client is aware of these risks before assuring them of the non-tamperability of the config file.

like image 76
Freedom_Ben Avatar answered Oct 05 '22 22:10

Freedom_Ben