_secure_path.3   [plain text]


.\" Copyright (c) 1997 David Nugent <davidn@blaze.net.au>
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, is permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice immediately at the beginning of the file, without modification,
.\"    this list of conditions, and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. This work was done expressly for inclusion into FreeBSD.  Other use
.\"    is permitted provided this notation is included.
.\" 4. Absolutely no warranty of function or purpose is made by the author
.\"    David Nugent.
.\" 5. Modifications may be freely made to this file providing the above
.\"    conditions are met.
.\"
.\" $FreeBSD: src/lib/libutil/_secure_path.3,v 1.13 2005/01/20 09:17:07 ru Exp $
.\"
.Dd May 2, 1997
.Os
.Dt _SECURE_PATH 3
.Sh NAME
.Nm _secure_path
.Nd determine if a file appears to be secure
.Sh LIBRARY
.Lb libutil
.Sh SYNOPSIS
.In sys/types.h
.In libutil.h
.Ft int
.Fn _secure_path "const char *path" "uid_t uid" "gid_t gid"
.Sh DESCRIPTION
This function does some basic security checking on a given path.
It is intended to be used by processes running with root privileges
in order to decide whether or not to trust the contents of a given
file.
It uses a method often used to detect system compromise.
.Pp
A file is considered
.Sq secure
if it meets the following conditions:
.Bl -enum
.It
The file exists, and is a regular file (not a symlink, device
special or named pipe, etc.),
.It
Is not world writable.
.It
Is owned by the given uid or uid 0, if uid is not -1,
.It
Is not group writable or it has group ownership by the given
gid, if gid is not -1.
.El
.Sh RETURN VALUES
This function returns zero if the file exists and may be
considered secure, -2 if the file does not exist, and
-1 otherwise to indicate a security failure.
The
.Xr syslog 3
function is used to log any failure of this function, including the
reason, at LOG_ERR priority.
.Sh SEE ALSO
.Xr lstat 2 ,
.Xr syslog 3
.Sh HISTORY
Code from which this function was derived was contributed to the
.Fx
project by Berkeley Software Design, Inc.
.Sh BUGS
The checks carried out are rudimentary and no attempt is made
to eliminate race conditions between use of this function and
access to the file referenced.