xref: /freebsd/lib/libutil/_secure_path.3 (revision 4543ef516683042d46f3bd3bb8a4f3f746e00499) 
1.\" Copyright (c) 1997 David Nugent <davidn@blaze.net.au>
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, is permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice immediately at the beginning of the file, without modification,
9.\"    this list of conditions, and the following disclaimer.
10.\" 2. Redistributions in binary form must reproduce the above copyright
11.\"    notice, this list of conditions and the following disclaimer in the
12.\"    documentation and/or other materials provided with the distribution.
13.\" 3. This work was done expressly for inclusion into FreeBSD.  Other use
14.\"    is permitted provided this notation is included.
15.\" 4. Absolutely no warranty of function or purpose is made by the author
16.\"    David Nugent.
17.\" 5. Modifications may be freely made to this file providing the above
18.\"    conditions are met.
19.\"
20.Dd May 10, 2020
21.Dt _SECURE_PATH 3
22.Os
23.Sh NAME
24.Nm _secure_path
25.Nd determine if a file appears to be secure
26.Sh LIBRARY
27.Lb libutil
28.Sh SYNOPSIS
29.In sys/types.h
30.In libutil.h
31.Ft int
32.Fn _secure_path "const char *path" "uid_t uid" "gid_t gid"
33.Sh DESCRIPTION
34This function does some basic security checking on a given path.
35It is intended to be used by processes running with root privileges
36in order to decide whether or not to trust the contents of a given
37file.
38It uses a method often used to detect system compromise.
39.Pp
40A file is considered
41.Sq secure
42if it meets the following conditions:
43.Bl -enum
44.It
45The file exists, and is a regular file (not a symlink, device
46special or named pipe, etc.),
47.It
48Is not world writable.
49.It
50Is owned by the given uid or uid 0, if uid is not -1,
51.It
52Is not group writable or it has group ownership by the given
53gid, if gid is not -1.
54.El
55.Sh RETURN VALUES
56This function returns zero if the file exists and may be
57considered secure, -2 if the file does not exist, and
58-1 otherwise to indicate a security failure.
59The
60.Xr syslog 3
61function is used to log any failure of this function, including the
62reason, at LOG_ERR priority.
63.Sh SEE ALSO
64.Xr lstat 2 ,
65.Xr syslog 3
66.Sh HISTORY
67Code from which this function was derived was contributed to the
68.Fx
69project by Berkeley Software Design, Inc.
70The function
71.Fn _secure_path
72first appeared in
73.Fx 2.2.5 .
74.Sh BUGS
75The checks carried out are rudimentary and no attempt is made
76to eliminate race conditions between use of this function and
77access to the file referenced.
78